dcrat | 277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2

Analysis

max time kernel
122s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04/11/2024, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Size

1.9MB
MD5

967181542acac77f5b13f46542e84812
SHA1

09fbf9cfb636459cc4d54308b5b1c91d32a29f22
SHA256

277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2
SHA512

323023582fcc14c30aca827db68bb91204a5e6dc894bb1228370a3c925bb28559778f09a0b3d4581d462921630cede3ac1cd4c864357ee5b4928698e5bbdf082
SSDEEP

49152:LcC3djqo2xuELnaWpofrYR0nhJLVxIkpAUfKcwucQW1:LcC3djqo2PLaWyPrYkpsc6QW1

Score

10^/10

dcrat execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\", \"C:\\Users\\Admin\\Templates\\dllhost.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\", \"C:\\Users\\Admin\\Templates\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\winlogon.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\", \"C:\\Users\\Admin\\Templates\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\winlogon.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe\", \"C:\\MSOCache\\All Users\\System.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	1192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	1192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	1192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	1192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	1192	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1028	powershell.exe
820	powershell.exe
2088	powershell.exe
2072	powershell.exe
2224	powershell.exe
2360	powershell.exe
896	powershell.exe
936	powershell.exe
1476	powershell.exe
2852	powershell.exe
2332	powershell.exe
2172	powershell.exe
2420	powershell.exe
2516	powershell.exe
3048	powershell.exe
3028	powershell.exe
584	powershell.exe
3008	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2584	System.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2 = "\"C:\\Program Files (x86)\\Windows Mail\\it-IT\\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\System.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\System.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Templates\\dllhost.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2 = "\"C:\\Program Files (x86)\\Windows Mail\\it-IT\\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Templates\\dllhost.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\winlogon.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\winlogon.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe\""	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCBE9401BC8550425494FCB872E6165220.TMP	csc.exe
File created	\??\c:\Windows\System32\hi5-9c.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\it-IT\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\0bbfc5c950de56	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2720	schtasks.exe
2928	schtasks.exe
2724	schtasks.exe
1804	schtasks.exe
1996	schtasks.exe
1656	schtasks.exe
3044	schtasks.exe
2660	schtasks.exe
2672	schtasks.exe
1352	schtasks.exe
2892	schtasks.exe
1780	schtasks.exe
2856	schtasks.exe
2796	schtasks.exe
2988	schtasks.exe
1960	schtasks.exe
1296	schtasks.exe
1944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2584	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2948	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	34
PID 2044 wrote to memory of 2948	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	34
PID 2044 wrote to memory of 2948	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	34
PID 2948 wrote to memory of 2692	2948	csc.exe	36
PID 2948 wrote to memory of 2692	2948	csc.exe	36
PID 2948 wrote to memory of 2692	2948	csc.exe	36
PID 2044 wrote to memory of 2852	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	52
PID 2044 wrote to memory of 2852	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	52
PID 2044 wrote to memory of 2852	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	52
PID 2044 wrote to memory of 2516	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	53
PID 2044 wrote to memory of 2516	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	53
PID 2044 wrote to memory of 2516	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	53
PID 2044 wrote to memory of 2420	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	55
PID 2044 wrote to memory of 2420	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	55
PID 2044 wrote to memory of 2420	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	55
PID 2044 wrote to memory of 1028	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	56
PID 2044 wrote to memory of 1028	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	56
PID 2044 wrote to memory of 1028	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	56
PID 2044 wrote to memory of 2360	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	57
PID 2044 wrote to memory of 2360	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	57
PID 2044 wrote to memory of 2360	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	57
PID 2044 wrote to memory of 2332	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	58
PID 2044 wrote to memory of 2332	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	58
PID 2044 wrote to memory of 2332	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	58
PID 2044 wrote to memory of 2224	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	59
PID 2044 wrote to memory of 2224	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	59
PID 2044 wrote to memory of 2224	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	59
PID 2044 wrote to memory of 2072	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	60
PID 2044 wrote to memory of 2072	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	60
PID 2044 wrote to memory of 2072	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	60
PID 2044 wrote to memory of 3048	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	61
PID 2044 wrote to memory of 3048	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	61
PID 2044 wrote to memory of 3048	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	61
PID 2044 wrote to memory of 3028	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	62
PID 2044 wrote to memory of 3028	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	62
PID 2044 wrote to memory of 3028	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	62
PID 2044 wrote to memory of 1476	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	63
PID 2044 wrote to memory of 1476	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	63
PID 2044 wrote to memory of 1476	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	63
PID 2044 wrote to memory of 936	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	66
PID 2044 wrote to memory of 936	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	66
PID 2044 wrote to memory of 936	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	66
PID 2044 wrote to memory of 896	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	68
PID 2044 wrote to memory of 896	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	68
PID 2044 wrote to memory of 896	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	68
PID 2044 wrote to memory of 2172	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	70
PID 2044 wrote to memory of 2172	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	70
PID 2044 wrote to memory of 2172	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	70
PID 2044 wrote to memory of 2088	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	71
PID 2044 wrote to memory of 2088	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	71
PID 2044 wrote to memory of 2088	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	71
PID 2044 wrote to memory of 3008	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	72
PID 2044 wrote to memory of 3008	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	72
PID 2044 wrote to memory of 3008	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	72
PID 2044 wrote to memory of 584	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	73
PID 2044 wrote to memory of 584	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	73
PID 2044 wrote to memory of 584	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	73
PID 2044 wrote to memory of 820	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	74
PID 2044 wrote to memory of 820	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	74
PID 2044 wrote to memory of 820	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	74
PID 2044 wrote to memory of 544	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	88
PID 2044 wrote to memory of 544	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	88
PID 2044 wrote to memory of 544	2044	277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe	88
PID 544 wrote to memory of 1564	544	cmd.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
"C:\Users\Admin\AppData\Local\Temp\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o5econ5k\o5econ5k.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDB2.tmp" "c:\Windows\System32\CSCBE9401BC8550425494FCB872E6165220.TMP"
    3⤵
    PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nQDVgqq9FR.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1564
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2716
- - C:\MSOCache\All Users\System.exe
    "C:\MSOCache\All Users\System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d22" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d22" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Templates\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d22" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d22" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Mail\it-IT\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe

Filesize
1.9MB

MD5
967181542acac77f5b13f46542e84812

SHA1
09fbf9cfb636459cc4d54308b5b1c91d32a29f22

SHA256
277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2

SHA512
323023582fcc14c30aca827db68bb91204a5e6dc894bb1228370a3c925bb28559778f09a0b3d4581d462921630cede3ac1cd4c864357ee5b4928698e5bbdf082

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDDB2.tmp

Filesize
1KB

MD5
d2b98e3d73cca462abdcbd1c3c5bc45c

SHA1
cb7573f15cafe2c5306862ad88e0b972aded6c5e

SHA256
99b5821f65134eb3b6f15045ea25b5e2f6ca453a1a36320a3f502e93cedaaa96

SHA512
a6856747fa7706826a931406439b6f1da99b576c690a078b294122d43c662d66937e9cd4cf2c8b14c3fbadd31d03eb1fe5dfedf5e757d6afd292d857f51729c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQDVgqq9FR.bat

Filesize
208B

MD5
6ee2633c5528e952500cf087bc30b074

SHA1
09d8c6c4c865358ddae057bb8a6ad57f1e16a605

SHA256
e85663f96c1053352d61f7171929324954d82e68a313121e99ac045064e0ab36

SHA512
4b5f8c608b23eba60dea9d7f0c8508ab934f60f202184c5505f9e38faa4641a3f849830719f2aea21b0d6d3454b2ff036919a688f7bf64c46d83146fd8e38912

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
22922e9fec069be93f16988724e34974

SHA1
f3da3b62c4afac6b926c04320ac0ab6f325d25b7

SHA256
a6e1d2ceedc536fedff8f6c5cabe0649d7b2f5e4a7dfbaf6d8c79b684b810dcf

SHA512
ce1a7d8eb9c5ff9cc65cc1be12771015f84f87f248e4169554b2d02966b3859ae08dc42c974d191697b8caf92a2d261dcc0d2d76b56af02ccd0711e8876d783d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o5econ5k\o5econ5k.0.cs

Filesize
442B

MD5
70562e173c88b34334b2599ab86524c6

SHA1
57407711b164fc91f824a0bebd41b1a8a32120d5

SHA256
0cdca4b0d92818eb7972708c6e77787037f02d0717e0c11caf05090bf5e944d4

SHA512
bc7813e4bf95c614c9a327cedeab91a321326d7df45a2555bd58cc2ad357493bd21c31afd5d59b5c5dc8d347d411f62ae0be4d4cbf34e341ec240f24c242ef15

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o5econ5k\o5econ5k.cmdline

Filesize
235B

MD5
f15d577e6e3d46d589d889f1be3d649b

SHA1
74bb3d72122fc9e8e523a5faa6153d33d85e32ea

SHA256
e6a8ff3d7018e30d3c8c4517011bfeba75919bfa0662639bf37df3b6c68b75b0

SHA512
691b11db54e451c201e6a38b4072d349ed939b3ebf9f065f0d90b024655ef80b0128a5302fed6903d06a781df5bbac0196909ab929d91237a88dcd8c906744c6

Download Submit
\??\c:\Windows\System32\CSCBE9401BC8550425494FCB872E6165220.TMP

Filesize
1KB

MD5
60a1ebb8f840aad127346a607d80fc19

SHA1
c8b7e9ad601ac19ab90b3e36f811960e8badf354

SHA256
9d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243

SHA512
44830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4

Download Submit
memory/2044-33-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2044-34-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2044-13-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2044-17-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2044-15-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/2044-18-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2044-24-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2044-8-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/2044-31-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2044-6-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/2044-10-0x0000000000560000-0x0000000000578000-memory.dmp

Filesize
96KB

Download
memory/2044-11-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2044-32-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2044-4-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2044-0-0x000007FEF5653000-0x000007FEF5654000-memory.dmp

Filesize
4KB

Download
memory/2044-3-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2044-2-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2044-1-0x0000000001290000-0x000000000147E000-memory.dmp

Filesize
1.9MB

Download
memory/2044-56-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2584-143-0x0000000001180000-0x000000000136E000-memory.dmp

Filesize
1.9MB

Download
memory/2852-126-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2852-121-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download