dcrat | 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a

Analysis

max time kernel
149s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Size

1.8MB
MD5

5fe5c094a2fd1a198178aa10c5b62307
SHA1

766b36ad58f89249728f8405b893ee104f3a8e6d
SHA256

5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a
SHA512

c1d4c29f0bf10787c5ed6bafd244f466a9be5a805976670a52337d90362eb00d3f9a278d822d9858128d5c8189c1da1125da76dd75b3e10d04be639a4e30b0c0
SSDEEP

49152:mhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:mgVTVXYNX9mOWSkM

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	264	schtasks.exe

UAC bypass 3 TTPs 21 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

lsm.exelsm.exe5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exelsm.exelsm.exelsm.exelsm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2520-1-0x0000000000100000-0x00000000002CE000-memory.dmp	dcrat
C:\Program Files (x86)\Windows NT\Accessories\services.exe	dcrat
behavioral1/memory/2844-135-0x0000000000340000-0x000000000050E000-memory.dmp	dcrat
behavioral1/memory/1588-183-0x00000000001E0000-0x00000000003AE000-memory.dmp	dcrat
behavioral1/memory/2736-195-0x00000000010E0000-0x00000000012AE000-memory.dmp	dcrat
behavioral1/memory/768-208-0x00000000012E0000-0x00000000014AE000-memory.dmp	dcrat
behavioral1/memory/1504-233-0x00000000000A0000-0x000000000026E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
612	powershell.exe
2248	powershell.exe
1984	powershell.exe
2196	powershell.exe
2100	powershell.exe
1152	powershell.exe
2220	powershell.exe
1576	powershell.exe
2480	powershell.exe
2284	powershell.exe
2124	powershell.exe

Executes dropped EXE 6 IoCs

Processes:

lsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

pid process

2844 lsm.exe
1588 lsm.exe
2736 lsm.exe
768 lsm.exe
2616 lsm.exe
1504 lsm.exe

pid	process
2844	lsm.exe
1588	lsm.exe
2736	lsm.exe
768	lsm.exe
2616	lsm.exe
1504	lsm.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lsm.exelsm.exelsm.exe5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exelsm.exelsm.exelsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Drops file in Program Files directory 20 IoCs

Processes:

5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows NT\Accessories\services.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\c5b4cb5e9653cc	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\6cb0b6c459d5d3	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\dllhost.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\5940a34987c991	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Program Files\Uninstall Information\886983d96e3d3e	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\RCXE130.tmp	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Program Files\DVD Maker\it-IT\f3b6ecef712a24	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\dwm.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\RCXDF2C.tmp	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\spoolsv.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCXE538.tmp	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXEB43.tmp	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Program Files\Uninstall Information\csrss.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RCXE93F.tmp	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files\Uninstall Information\csrss.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Program Files\DVD Maker\it-IT\spoolsv.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\services.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\dllhost.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\dwm.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe

Drops file in Windows directory 4 IoCs

Processes:

5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe

description	ioc	process
File created	C:\Windows\CSC\System.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Windows\CSC\27d1bcfc3c54e0	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Windows\CSC\RCXE334.tmp	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Windows\CSC\System.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2716	schtasks.exe
2820	schtasks.exe
1076	schtasks.exe
1420	schtasks.exe
2932	schtasks.exe
2972	schtasks.exe
1008	schtasks.exe
2736	schtasks.exe
2852	schtasks.exe
2036	schtasks.exe
2824	schtasks.exe
2728	schtasks.exe
2332	schtasks.exe
1772	schtasks.exe
3004	schtasks.exe
2484	schtasks.exe
2324	schtasks.exe
3000	schtasks.exe
2152	schtasks.exe
2344	schtasks.exe
2636	schtasks.exe
2748	schtasks.exe
2724	schtasks.exe
2688	schtasks.exe
2996	schtasks.exe
1844	schtasks.exe
2628	schtasks.exe
2948	schtasks.exe
2936	schtasks.exe
1148	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

pid	process
2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
2248	powershell.exe
612	powershell.exe
2124	powershell.exe
2100	powershell.exe
2220	powershell.exe
1984	powershell.exe
1152	powershell.exe
2196	powershell.exe
2480	powershell.exe
1576	powershell.exe
2284	powershell.exe
2844	lsm.exe
1588	lsm.exe
2736	lsm.exe
768	lsm.exe
2616	lsm.exe
1504	lsm.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exepowershell.exepowershell.exepowershell.exepowershell.exelsm.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsm.exelsm.exelsm.exelsm.exelsm.exe

description	pid	process
Token: SeDebugPrivilege	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2844	lsm.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1588	lsm.exe
Token: SeDebugPrivilege	2736	lsm.exe
Token: SeDebugPrivilege	768	lsm.exe
Token: SeDebugPrivilege	2616	lsm.exe
Token: SeDebugPrivilege	1504	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exelsm.exeWScript.exelsm.exeWScript.exelsm.exeWScript.exelsm.exe

description	pid	process	target process
PID 2520 wrote to memory of 1576	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 1576	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 1576	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 612	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 612	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 612	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2480	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2480	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2480	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2284	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2284	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2284	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2124	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2124	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2124	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2248	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2248	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2248	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 1984	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 1984	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 1984	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2100	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2100	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2100	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 1152	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 1152	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 1152	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2196	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2196	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2196	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2220	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2220	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2220	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	powershell.exe
PID 2520 wrote to memory of 2844	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	lsm.exe
PID 2520 wrote to memory of 2844	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	lsm.exe
PID 2520 wrote to memory of 2844	2520	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	lsm.exe
PID 2844 wrote to memory of 2288	2844	lsm.exe	WScript.exe
PID 2844 wrote to memory of 2288	2844	lsm.exe	WScript.exe
PID 2844 wrote to memory of 2288	2844	lsm.exe	WScript.exe
PID 2844 wrote to memory of 444	2844	lsm.exe	WScript.exe
PID 2844 wrote to memory of 444	2844	lsm.exe	WScript.exe
PID 2844 wrote to memory of 444	2844	lsm.exe	WScript.exe
PID 2288 wrote to memory of 1588	2288	WScript.exe	lsm.exe
PID 2288 wrote to memory of 1588	2288	WScript.exe	lsm.exe
PID 2288 wrote to memory of 1588	2288	WScript.exe	lsm.exe
PID 1588 wrote to memory of 2056	1588	lsm.exe	WScript.exe
PID 1588 wrote to memory of 2056	1588	lsm.exe	WScript.exe
PID 1588 wrote to memory of 2056	1588	lsm.exe	WScript.exe
PID 1588 wrote to memory of 2960	1588	lsm.exe	WScript.exe
PID 1588 wrote to memory of 2960	1588	lsm.exe	WScript.exe
PID 1588 wrote to memory of 2960	1588	lsm.exe	WScript.exe
PID 2056 wrote to memory of 2736	2056	WScript.exe	lsm.exe
PID 2056 wrote to memory of 2736	2056	WScript.exe	lsm.exe
PID 2056 wrote to memory of 2736	2056	WScript.exe	lsm.exe
PID 2736 wrote to memory of 3004	2736	lsm.exe	WScript.exe
PID 2736 wrote to memory of 3004	2736	lsm.exe	WScript.exe
PID 2736 wrote to memory of 3004	2736	lsm.exe	WScript.exe
PID 2736 wrote to memory of 1964	2736	lsm.exe	WScript.exe
PID 2736 wrote to memory of 1964	2736	lsm.exe	WScript.exe
PID 2736 wrote to memory of 1964	2736	lsm.exe	WScript.exe
PID 3004 wrote to memory of 768	3004	WScript.exe	lsm.exe
PID 3004 wrote to memory of 768	3004	WScript.exe	lsm.exe
PID 3004 wrote to memory of 768	3004	WScript.exe	lsm.exe
PID 768 wrote to memory of 2672	768	lsm.exe	WScript.exe

System policy modification 1 TTPs 21 IoCs

evasion

Modify Registry

T1112

Processes:

lsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
"C:\Users\Admin\AppData\Local\Temp\5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\it-IT\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CSC\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\de-DE\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe
  "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2844
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7422ce5c-b7bd-4fe8-b615-5f2a97b71b49.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe
      "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1588
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a183234-7d02-402d-a98c-8fceb89f193e.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe
        
        "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea07b1de-babf-4cce-bbbb-a4fe634b6e22.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe
        
        "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8b4caca-0ef9-406a-b241-cb776bf91893.vbs"
        9⤵
        
        PID:2672
        
        C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe
        
        "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf56450e-716c-4747-b497-e7288cd70d3b.vbs"
        11⤵
        
        PID:1644
        
        C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe
        
        "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd3ebf8a-7224-4341-ac77-7163b4d6e142.vbs"
        11⤵
        
        PID:1592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcc1283e-d103-42e8-80b4-95cad54357f3.vbs"
        9⤵
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0786f6b3-1d85-474a-911b-4424f6b9c35d.vbs"
        7⤵
        
        PID:1964
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\001bd4b3-9458-4d8b-9c4c-67bff5ca7df3.vbs"
        5⤵
        
        PID:2960
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5579a7a5-6451-4ac5-9dec-4dc63bd8b93a.vbs"
    3⤵
    PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\CSC\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\CSC\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\CSC\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\Accessories\services.exe

Filesize
1.8MB

MD5
5fe5c094a2fd1a198178aa10c5b62307

SHA1
766b36ad58f89249728f8405b893ee104f3a8e6d

SHA256
5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a

SHA512
c1d4c29f0bf10787c5ed6bafd244f466a9be5a805976670a52337d90362eb00d3f9a278d822d9858128d5c8189c1da1125da76dd75b3e10d04be639a4e30b0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5579a7a5-6451-4ac5-9dec-4dc63bd8b93a.vbs

Filesize
523B

MD5
6c921e06623c97c23394b2165f7090d1

SHA1
6eb5346b4f9b387963b173675dbbd7558c502833

SHA256
4006d19e80e02e905ce65c5da1b1e4ad5b5607fffeee76db038aac70beb887bb

SHA512
f795c6877bb61b13da432e713793e90976c08c1658684371a1bb56dab07098fe8336e6d1366255980c9b545bc743f5b718b847d87e204bbf5e61610e1d8d28c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7422ce5c-b7bd-4fe8-b615-5f2a97b71b49.vbs

Filesize
747B

MD5
fae5109b19951395f55d692da59c4ab3

SHA1
1611a184cb21da7b30e7df064ab361602890d1d4

SHA256
bea2f66e41d53f83c797211cc3a69b2b3e6baeea22e0e783bb521d2059299c44

SHA512
1faad5ab192084fed19a09296a6b58f943264e8e5e5b251ea976bffd1af39f2a347fad67ee97777a6129ede320259956fc402477ce7a06a8ff69da0fce507022

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a183234-7d02-402d-a98c-8fceb89f193e.vbs

Filesize
747B

MD5
0960718dfb8d6c66d882155a7b5dd4a2

SHA1
e03f6b0edb0d6d83ac68423c9d79a44099506d9a

SHA256
a9d7281d8615200e65cd1f02a58dfccc4dfc7b7a0dc6d4b278972245a20c372d

SHA512
ebeb856ae3ffbcb3406e49705fc4d24288260bf02d8b8d29a1d9e7928d3ba73125fa97a7077d55f434d6200f3861a99f906887d19c9409ac119ba627801c6661

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf56450e-716c-4747-b497-e7288cd70d3b.vbs

Filesize
747B

MD5
bc49e1fd645d2936f39279cb686946fd

SHA1
553614d956d81656a557eb0576255fff7517a64e

SHA256
ac52d9be589c2c74ea93c91ba3dfc5f5e8b5d67a0c7a0b4ea75e16338b8ab8d5

SHA512
adff49797ae78269e84ba8f9409fe1861ecbbd0103486b08ea86a22fcc2386b69e33dbb725ffddb714addc4f44b96db79cb13ca1f14d2a6d5cf4d8219ff82cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8b4caca-0ef9-406a-b241-cb776bf91893.vbs

Filesize
746B

MD5
2999a577c4c798518a5b6fb53d36f7c0

SHA1
a70b3389fc4671ff55c485b4141f6539abe5faae

SHA256
071089cbdfd579c9d2a3d287e2afd2c7930cae996f7cbf99871c68bd1752a93b

SHA512
e1338c5a4073389453e3e4af642171ca27b7411efef1ccf636202f4dc8cadee316e7a6cbfc0e6305eec554317c025902a185bc5f20e134b6a1f95bdd434fc23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea07b1de-babf-4cce-bbbb-a4fe634b6e22.vbs

Filesize
747B

MD5
b498a6eb709bef365033eb6b4ab50507

SHA1
52b39ccfa8ccf67bc865d72a37e357f97998fc31

SHA256
eb497b3bf2fdf607aab0e082c3cfe49cfd6e93dd02545490fb19e9fb25e6eb85

SHA512
13020b4bf5a06059eb37a25dc132f6c1838b5ed7c84c8ed24e482342035f16ec0dcfc67cc975dc93f5f239e224936284765c747a73be8888804dfd785370e6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
29bbbeb8b42a93bec698d5b14f46d93d

SHA1
c00e8c412bf2e3ae708ac8c5567e2087424f0281

SHA256
e4f83e1642d7aa8ddd0f5c924b38702ccb594df787de98ffa7631a8ee73609ac

SHA512
8463bbfe4a064e8d33b4c37d7cf35f186f5d3f922b1c56ee1c2bfcb199a8456ee5da32890a7443000ac2887e79b365c05cb73a21467a3e33aeeb44b935367513

Download Submit
memory/768-208-0x00000000012E0000-0x00000000014AE000-memory.dmp

Filesize
1.8MB

Download
memory/768-209-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/1504-233-0x00000000000A0000-0x000000000026E000-memory.dmp

Filesize
1.8MB

Download
memory/1588-183-0x00000000001E0000-0x00000000003AE000-memory.dmp

Filesize
1.8MB

Download
memory/2248-113-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2248-114-0x0000000002850000-0x0000000002858000-memory.dmp

Filesize
32KB

Download
memory/2520-9-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/2520-4-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/2520-14-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/2520-13-0x00000000006F0000-0x00000000006FE000-memory.dmp

Filesize
56KB

Download
memory/2520-12-0x00000000006E0000-0x00000000006EE000-memory.dmp

Filesize
56KB

Download
memory/2520-11-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download
memory/2520-1-0x0000000000100000-0x00000000002CE000-memory.dmp

Filesize
1.8MB

Download
memory/2520-142-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp

Filesize
9.9MB

Download
memory/2520-2-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp

Filesize
9.9MB

Download
memory/2520-10-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2520-0-0x000007FEF6533000-0x000007FEF6534000-memory.dmp

Filesize
4KB

Download
memory/2520-8-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/2520-7-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/2520-3-0x0000000000490000-0x00000000004AC000-memory.dmp

Filesize
112KB

Download
memory/2520-5-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/2520-6-0x00000000004D0000-0x00000000004E6000-memory.dmp

Filesize
88KB

Download
memory/2520-15-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/2616-221-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2736-196-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download
memory/2736-195-0x00000000010E0000-0x00000000012AE000-memory.dmp

Filesize
1.8MB

Download
memory/2844-172-0x0000000000760000-0x0000000000772000-memory.dmp

Filesize
72KB

Download
memory/2844-135-0x0000000000340000-0x000000000050E000-memory.dmp

Filesize
1.8MB

Download