dcrat | 9700e6f8ed338b7ebf337feef5a215a65d061a709a9067218d5ae73093ecb946

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-11-2024 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

2.5MB
MD5

a13b59f33063b970d7adbe2a23fb5a81
SHA1

7a8f1204af663a38f87816c528e27137f310ae42
SHA256

9700e6f8ed338b7ebf337feef5a215a65d061a709a9067218d5ae73093ecb946
SHA512

6affe7c79c186e4d466c2f975987af39452d9991453d394efdf93af67c5d8e367ab867625d17ecdb2778c5962c40eea9a207e15c48f9346c58d875b86ce7459f
SSDEEP

49152:qbA3q2mzyt2DixLb4I5KKnK5zgdlKWkyT:qbrtzyoWFbvKKnK5Anks

Score

10^/10

dcrat discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Signatures

DcRat 37 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe1.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1756	schtasks.exe
2864	schtasks.exe
2888	schtasks.exe
2000	schtasks.exe
1480	schtasks.exe
924	schtasks.exe
820	schtasks.exe
2956	schtasks.exe
2092	schtasks.exe
2136	schtasks.exe
2300	schtasks.exe
1052	schtasks.exe
2188	schtasks.exe
2012	schtasks.exe
2216	schtasks.exe
664	schtasks.exe
2448	schtasks.exe
1660	schtasks.exe
2192	schtasks.exe
1356	schtasks.exe
2528	schtasks.exe
1236	schtasks.exe
1092	schtasks.exe
1964	schtasks.exe
280	schtasks.exe
692	schtasks.exe
900	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
1004	schtasks.exe
1928	schtasks.exe
1676	schtasks.exe
940	schtasks.exe
1632	schtasks.exe
868	schtasks.exe
1760	schtasks.exe
1900	schtasks.exe
1704	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

BlockDriversession.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\OSPPSVC.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\", \"C:\\Windows\\ModemLogs\\explorer.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\OSPPSVC.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\", \"C:\\Windows\\ModemLogs\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\ms\\LC_MESSAGES\\OSPPSVC.exe\", \"C:\\Windows\\assembly\\explorer.exe\", \"C:\\Users\\Admin\\Downloads\\audiodg.exe\", \"C:\\Windows\\ShellNew\\taskhost.exe\", \"C:\\browserperf\\services.exe\", \"C:\\Windows\\inf\\TermService\\0410\\lsass.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\OSPPSVC.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\", \"C:\\Windows\\ModemLogs\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\ms\\LC_MESSAGES\\OSPPSVC.exe\", \"C:\\Windows\\assembly\\explorer.exe\", \"C:\\Users\\Admin\\Downloads\\audiodg.exe\", \"C:\\Windows\\ShellNew\\taskhost.exe\", \"C:\\browserperf\\services.exe\", \"C:\\Windows\\inf\\TermService\\0410\\lsass.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\audiodg.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\OSPPSVC.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\", \"C:\\Windows\\ModemLogs\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\ms\\LC_MESSAGES\\OSPPSVC.exe\", \"C:\\Windows\\assembly\\explorer.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\OSPPSVC.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\", \"C:\\Windows\\ModemLogs\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\ms\\LC_MESSAGES\\OSPPSVC.exe\", \"C:\\Windows\\assembly\\explorer.exe\", \"C:\\Users\\Admin\\Downloads\\audiodg.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\OSPPSVC.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\", \"C:\\Windows\\ModemLogs\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\ms\\LC_MESSAGES\\OSPPSVC.exe\", \"C:\\Windows\\assembly\\explorer.exe\", \"C:\\Users\\Admin\\Downloads\\audiodg.exe\", \"C:\\Windows\\ShellNew\\taskhost.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\OSPPSVC.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\", \"C:\\Windows\\ModemLogs\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\ms\\LC_MESSAGES\\OSPPSVC.exe\", \"C:\\Windows\\assembly\\explorer.exe\", \"C:\\Users\\Admin\\Downloads\\audiodg.exe\", \"C:\\Windows\\ShellNew\\taskhost.exe\", \"C:\\browserperf\\services.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\OSPPSVC.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\OSPPSVC.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\OSPPSVC.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\", \"C:\\Windows\\ModemLogs\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\audiodg.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\OSPPSVC.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\", \"C:\\Windows\\ModemLogs\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\ms\\LC_MESSAGES\\OSPPSVC.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\OSPPSVC.exe\", \"C:\\Program Files\\Internet Explorer\\csrss.exe\", \"C:\\Windows\\ModemLogs\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\ms\\LC_MESSAGES\\OSPPSVC.exe\", \"C:\\Windows\\assembly\\explorer.exe\", \"C:\\Users\\Admin\\Downloads\\audiodg.exe\", \"C:\\Windows\\ShellNew\\taskhost.exe\", \"C:\\browserperf\\services.exe\", \"C:\\Windows\\inf\\TermService\\0410\\lsass.exe\""	BlockDriversession.exe

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2652	schtasks.exe

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

BlockDriversession.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BlockDriversession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	BlockDriversession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	BlockDriversession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\browserperf\BlockDriversession.exe	dcrat
behavioral1/memory/2884-13-0x0000000001270000-0x000000000149E000-memory.dmp	dcrat
C:\Windows\ModemLogs\RCX7CE4.tmp	dcrat
C:\browserperf\services.exe	dcrat
C:\Program Files (x86)\Windows Photo Viewer\es-ES\audiodg.exe	dcrat
behavioral1/memory/1796-214-0x0000000000F80000-0x00000000011AE000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion
Drops file in Drivers directory 1 IoCs

Processes:

BlockDriversession.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts BlockDriversession.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	BlockDriversession.exe

Executes dropped EXE 11 IoCs

Processes:

BlockDriversession.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2884	BlockDriversession.exe
1796	explorer.exe
2476	explorer.exe
2648	explorer.exe
1740	explorer.exe
2472	explorer.exe
220	explorer.exe
2944	explorer.exe
2848	explorer.exe
2668	explorer.exe
2696	explorer.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2904 cmd.exe
2904 cmd.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2904	cmd.exe
2904	cmd.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

BlockDriversession.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\ShellNew\\taskhost.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\browserperf\\services.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\audiodg.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\browserperf\\services.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Internet Explorer\\csrss.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\ModemLogs\\explorer.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\audiodg.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\audiodg.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\ms\\LC_MESSAGES\\OSPPSVC.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\ShellNew\\taskhost.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Portable Devices\\cmd.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\audiodg.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Users\\All Users\\Adobe\\OSPPSVC.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Users\\All Users\\Adobe\\OSPPSVC.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Internet Explorer\\csrss.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\ms\\LC_MESSAGES\\OSPPSVC.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\assembly\\explorer.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\inf\\TermService\\0410\\lsass.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Portable Devices\\cmd.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\ModemLogs\\explorer.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\assembly\\explorer.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Admin\\Downloads\\audiodg.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Admin\\Downloads\\audiodg.exe\""	BlockDriversession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\inf\\TermService\\0410\\lsass.exe\""	BlockDriversession.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BlockDriversession.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BlockDriversession.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BlockDriversession.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ipinfo.io
8 ipinfo.io

flow	ioc
7	ipinfo.io
8	ipinfo.io

Drops file in Program Files directory 25 IoCs

Processes:

BlockDriversession.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\audiodg.exe	BlockDriversession.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\audiodg.exe	BlockDriversession.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\1610b97d3ab4a7	BlockDriversession.exe
File created	C:\Program Files\Windows Portable Devices\cmd.exe	BlockDriversession.exe
File opened for modification	C:\Program Files\Internet Explorer\csrss.exe	BlockDriversession.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\RCX80FD.tmp	BlockDriversession.exe
File opened for modification	C:\Program Files\Windows Portable Devices\cmd.exe	BlockDriversession.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\OSPPSVC.exe	BlockDriversession.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX8E90.tmp	BlockDriversession.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX8E91.tmp	BlockDriversession.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX7EF8.tmp	BlockDriversession.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\audiodg.exe	BlockDriversession.exe
File created	C:\Program Files\Internet Explorer\csrss.exe	BlockDriversession.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\42af1c969fbb7b	BlockDriversession.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\OSPPSVC.exe	BlockDriversession.exe
File created	C:\Program Files\Windows Portable Devices\ebf1f9fa8afd6d	BlockDriversession.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\42af1c969fbb7b	BlockDriversession.exe
File opened for modification	C:\Program Files\Internet Explorer\RCX7A04.tmp	BlockDriversession.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCX90A4.tmp	BlockDriversession.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCX9122.tmp	BlockDriversession.exe
File created	C:\Program Files\Internet Explorer\886983d96e3d3e	BlockDriversession.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\audiodg.exe	BlockDriversession.exe
File opened for modification	C:\Program Files\Internet Explorer\RCX7A72.tmp	BlockDriversession.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX7EF9.tmp	BlockDriversession.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\RCX80FE.tmp	BlockDriversession.exe

Drops file in Windows directory 22 IoCs

Processes:

BlockDriversession.exe

description	ioc	process
File created	C:\Windows\assembly\explorer.exe	BlockDriversession.exe
File created	C:\Windows\assembly\7a0fd90576e088	BlockDriversession.exe
File created	C:\Windows\ShellNew\b75386f1303e64	BlockDriversession.exe
File created	C:\Windows\inf\TermService\0410\6203df4a6bafc7	BlockDriversession.exe
File created	C:\Windows\servicing\Packages\conhost.exe	BlockDriversession.exe
File opened for modification	C:\Windows\ModemLogs\RCX7CE3.tmp	BlockDriversession.exe
File opened for modification	C:\Windows\ShellNew\RCX872A.tmp	BlockDriversession.exe
File created	C:\Windows\ModemLogs\7a0fd90576e088	BlockDriversession.exe
File opened for modification	C:\Windows\inf\TermService\0410\RCX8C1F.tmp	BlockDriversession.exe
File opened for modification	C:\Windows\ShellNew\taskhost.exe	BlockDriversession.exe
File opened for modification	C:\Windows\assembly\RCX8311.tmp	BlockDriversession.exe
File opened for modification	C:\Windows\inf\TermService\0410\lsass.exe	BlockDriversession.exe
File opened for modification	C:\Windows\ModemLogs\explorer.exe	BlockDriversession.exe
File created	C:\Windows\inf\TermService\0410\lsass.exe	BlockDriversession.exe
File created	C:\Windows\schemas\EAPMethods\dwm.exe	BlockDriversession.exe
File opened for modification	C:\Windows\ModemLogs\RCX7CE4.tmp	BlockDriversession.exe
File opened for modification	C:\Windows\ShellNew\RCX872B.tmp	BlockDriversession.exe
File opened for modification	C:\Windows\inf\TermService\0410\RCX8BB1.tmp	BlockDriversession.exe
File created	C:\Windows\ModemLogs\explorer.exe	BlockDriversession.exe
File opened for modification	C:\Windows\assembly\RCX8312.tmp	BlockDriversession.exe
File opened for modification	C:\Windows\assembly\explorer.exe	BlockDriversession.exe
File created	C:\Windows\ShellNew\taskhost.exe	BlockDriversession.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1.exeWScript.execmd.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3044 reg.exe

pid	process
3044	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2000	schtasks.exe
2216	schtasks.exe
2528	schtasks.exe
820	schtasks.exe
2888	schtasks.exe
2136	schtasks.exe
1052	schtasks.exe
2092	schtasks.exe
1964	schtasks.exe
2192	schtasks.exe
1928	schtasks.exe
1676	schtasks.exe
940	schtasks.exe
900	schtasks.exe
1356	schtasks.exe
2300	schtasks.exe
664	schtasks.exe
1480	schtasks.exe
1092	schtasks.exe
924	schtasks.exe
1660	schtasks.exe
1236	schtasks.exe
2012	schtasks.exe
2864	schtasks.exe
1632	schtasks.exe
2956	schtasks.exe
2448	schtasks.exe
1704	schtasks.exe
2188	schtasks.exe
1900	schtasks.exe
1756	schtasks.exe
868	schtasks.exe
1760	schtasks.exe
1004	schtasks.exe
280	schtasks.exe
692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

BlockDriversession.exeexplorer.exe

pid	process
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
2884	BlockDriversession.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe
1796	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exeexplorer.exe

pid process

1796 explorer.exe
2476 explorer.exe

pid	process
1796	explorer.exe
2476	explorer.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

BlockDriversession.exeexplorer.exevssvc.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2884	BlockDriversession.exe
Token: SeDebugPrivilege	1796	explorer.exe
Token: SeBackupPrivilege	3024	vssvc.exe
Token: SeRestorePrivilege	3024	vssvc.exe
Token: SeAuditPrivilege	3024	vssvc.exe
Token: SeDebugPrivilege	2476	explorer.exe
Token: SeDebugPrivilege	1740	explorer.exe
Token: SeDebugPrivilege	2472	explorer.exe
Token: SeDebugPrivilege	2648	explorer.exe
Token: SeDebugPrivilege	2668	explorer.exe
Token: SeDebugPrivilege	2944	explorer.exe
Token: SeDebugPrivilege	220	explorer.exe
Token: SeDebugPrivilege	2848	explorer.exe
Token: SeDebugPrivilege	2696	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

explorer.exeexplorer.exe

pid process

1796 explorer.exe
2476 explorer.exe

pid	process
1796	explorer.exe
2476	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1.exeWScript.execmd.exeBlockDriversession.exeexplorer.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2668 wrote to memory of 2716	2668	1.exe	WScript.exe
PID 2668 wrote to memory of 2716	2668	1.exe	WScript.exe
PID 2668 wrote to memory of 2716	2668	1.exe	WScript.exe
PID 2668 wrote to memory of 2716	2668	1.exe	WScript.exe
PID 2716 wrote to memory of 2904	2716	WScript.exe	cmd.exe
PID 2716 wrote to memory of 2904	2716	WScript.exe	cmd.exe
PID 2716 wrote to memory of 2904	2716	WScript.exe	cmd.exe
PID 2716 wrote to memory of 2904	2716	WScript.exe	cmd.exe
PID 2904 wrote to memory of 2884	2904	cmd.exe	BlockDriversession.exe
PID 2904 wrote to memory of 2884	2904	cmd.exe	BlockDriversession.exe
PID 2904 wrote to memory of 2884	2904	cmd.exe	BlockDriversession.exe
PID 2904 wrote to memory of 2884	2904	cmd.exe	BlockDriversession.exe
PID 2884 wrote to memory of 1796	2884	BlockDriversession.exe	explorer.exe
PID 2884 wrote to memory of 1796	2884	BlockDriversession.exe	explorer.exe
PID 2884 wrote to memory of 1796	2884	BlockDriversession.exe	explorer.exe
PID 2904 wrote to memory of 3044	2904	cmd.exe	reg.exe
PID 2904 wrote to memory of 3044	2904	cmd.exe	reg.exe
PID 2904 wrote to memory of 3044	2904	cmd.exe	reg.exe
PID 2904 wrote to memory of 3044	2904	cmd.exe	reg.exe
PID 1796 wrote to memory of 1772	1796	explorer.exe	WScript.exe
PID 1796 wrote to memory of 1772	1796	explorer.exe	WScript.exe
PID 1796 wrote to memory of 1772	1796	explorer.exe	WScript.exe
PID 1796 wrote to memory of 1056	1796	explorer.exe	WScript.exe
PID 1796 wrote to memory of 1056	1796	explorer.exe	WScript.exe
PID 1796 wrote to memory of 1056	1796	explorer.exe	WScript.exe
PID 1796 wrote to memory of 2904	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 2904	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 2904	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 820	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 820	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 820	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 2560	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 2560	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 2560	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 2444	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 2444	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 2444	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 2948	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 2948	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 2948	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 1996	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 1996	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 1996	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 688	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 688	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 688	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 636	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 636	1796	explorer.exe	cmd.exe
PID 1796 wrote to memory of 636	1796	explorer.exe	cmd.exe
PID 2904 wrote to memory of 1648	2904	cmd.exe	w32tm.exe
PID 2904 wrote to memory of 1648	2904	cmd.exe	w32tm.exe
PID 2904 wrote to memory of 1648	2904	cmd.exe	w32tm.exe
PID 2560 wrote to memory of 2972	2560	cmd.exe	w32tm.exe
PID 2560 wrote to memory of 2972	2560	cmd.exe	w32tm.exe
PID 2560 wrote to memory of 2972	2560	cmd.exe	w32tm.exe
PID 820 wrote to memory of 2192	820	cmd.exe	w32tm.exe
PID 820 wrote to memory of 2192	820	cmd.exe	w32tm.exe
PID 2444 wrote to memory of 956	2444	cmd.exe	w32tm.exe
PID 820 wrote to memory of 2192	820	cmd.exe	w32tm.exe
PID 2444 wrote to memory of 956	2444	cmd.exe	w32tm.exe
PID 2444 wrote to memory of 956	2444	cmd.exe	w32tm.exe
PID 2948 wrote to memory of 1068	2948	cmd.exe	w32tm.exe
PID 2948 wrote to memory of 1068	2948	cmd.exe	w32tm.exe
PID 2948 wrote to memory of 1068	2948	cmd.exe	w32tm.exe

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

BlockDriversession.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	BlockDriversession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BlockDriversession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	BlockDriversession.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\browserperf\DnCoBuHIAvg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\browserperf\RcA8rkUQUHdsADqQUNtkjn.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\browserperf\BlockDriversession.exe
      "C:\browserperf\BlockDriversession.exe"
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2884
    - - C:\Windows\ModemLogs\explorer.exe
        
        "C:\Windows\ModemLogs\explorer.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1796
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76b6216a-6b7c-41a2-99a6-0bd21e9c9e66.vbs"
        6⤵
        
        PID:1772
        
        C:\Windows\ModemLogs\explorer.exe
        
        C:\Windows\ModemLogs\explorer.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\290e6ca9-057c-4c7f-bb6f-92772b715e7a.vbs"
        8⤵
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f5556a8-9d67-4b1f-ab9f-5ec7857ff9a2.vbs"
        8⤵
        
        PID:2440
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edfcdfb3-58b5-409d-98bc-492dbbd01198.vbs"
        6⤵
        
        PID:1056
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1648
        
        C:\Windows\ModemLogs\explorer.exe
        
        "C:\Windows\ModemLogs\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3e6b4ZzyL7.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2192
        
        C:\Windows\ModemLogs\explorer.exe
        
        "C:\Windows\ModemLogs\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nq8CWMYud3.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2972
        
        C:\Windows\ModemLogs\explorer.exe
        
        "C:\Windows\ModemLogs\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZwooWRRTTU.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1068
        
        C:\Windows\ModemLogs\explorer.exe
        
        "C:\Windows\ModemLogs\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8ouSs4myqb.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:956
        
        C:\Windows\ModemLogs\explorer.exe
        
        "C:\Windows\ModemLogs\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5UQ7aDaQkN.bat"
        6⤵
        
        PID:1996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1356
        
        C:\Windows\ModemLogs\explorer.exe
        
        "C:\Windows\ModemLogs\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MktaOoGz5H.bat"
        6⤵
        
        PID:688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1704
        
        C:\Windows\ModemLogs\explorer.exe
        
        "C:\Windows\ModemLogs\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KuZ4sAfWg1.bat"
        6⤵
        
        PID:636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2300
        
        C:\Windows\ModemLogs\explorer.exe
        
        "C:\Windows\ModemLogs\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\ModemLogs\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\assembly\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\ShellNew\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\browserperf\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\browserperf\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\browserperf\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\inf\TermService\0410\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\inf\TermService\0410\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\inf\TermService\0410\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:672

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\es-ES\audiodg.exe

Filesize
2.2MB

MD5
53a30e3fbbb41ca3d51700f3880ea6b1

SHA1
1714952c1a06a53cd8ad5ab50739133184eb3d5e

SHA256
465c70b9f21452e6a78794ae0f84caa25e195ba2cf911d7a4f8e9652c67c6375

SHA512
26beb4e69e56afc675673126b73b94e4f9f6e59dadebc0f0627026f36ea42beec8a1efe1a208dbe32f148b33c1cb7b5203198d33dc7e1bc8b46a1515f7fc6f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\0GtdkmLKkI

Filesize
92KB

MD5
6093b9b9effe107a1958b5e8775d196a

SHA1
f86ede48007734aebe75f41954ea1ef64924b05e

SHA256
a10b04d057393f5974c776ed253909cafcd014752a57da2971ae0dddfa889ab0

SHA512
2d9c20a201655ffcce71bfafa71b79fe08eb8aa02b5666588302608f6a14126a5a1f4213a963eb528514e2ea2b17871c4c5f9b5ef89c1940c40c0718ec367a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\290e6ca9-057c-4c7f-bb6f-92772b715e7a.vbs

Filesize
709B

MD5
781d46dd03e93f9d5133213fc07917f7

SHA1
f9110410a73d39f3bc0cf0a0957017d657edf54f

SHA256
b2afb896cb1c58dcac9c96ee22c636123bf61800e7c2445bbafcfb4db35324d6

SHA512
19ea993255827896d32236a727f098ab75c50ed97320c95b43889eaa2b03543b9dd222248fcc67182d84c7c86c3801c5da3bec2445274eef892d880a7142d710

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e6b4ZzyL7.bat

Filesize
198B

MD5
08043bc8ec3beaa27bcfe4bd1c5167bb

SHA1
dca12055803a61fb7320be9778651491c11f3232

SHA256
6b4bfa6a2c901bc9871d656e844486d8c8e06b71b0a9836df6dea4e4ccda4ea9

SHA512
a993ca90ffa879c97236fca8e81f21380c9dfe99f1e3268c22546d48b1cb8702382425af18bfe6294d31c34217b7d7eee7304cf17038d0141e24f5add1bc4368

Download Submit
C:\Users\Admin\AppData\Local\Temp\5UQ7aDaQkN.bat

Filesize
198B

MD5
13e9f0fc611d6e155a52d8088cdeba0c

SHA1
421354011a8fb1900146dd759bb417b5896bccd9

SHA256
32a85a6d001b61a2a83440cfd997d21562fee35da67fb59bf6859e1a89dc1b35

SHA512
8d73bd5b350157767f5a6d4932fdfa1ccf0db8912e9c78cdda5e2ed33b36e0b3c00f857c34c1caf082d7197d285e2c0172fb4d9fa0a4a230e4f7f1011529039d

Download Submit
C:\Users\Admin\AppData\Local\Temp\76b6216a-6b7c-41a2-99a6-0bd21e9c9e66.vbs

Filesize
709B

MD5
874a00bec78b1bcf580e59513b8ec8aa

SHA1
52dbc0114d5fb5275ff3438777814fdc28cfe6b1

SHA256
7e92b08f5954ea87246031ee4922f4b68353dc71232a56ef679bd5501c5377bf

SHA512
864cdf258a7942e597ce6be9a6f1b8d14bd8ad28eac818abfe5b447f3a9bbca6096306070df27562ded1c8ff3d5254f3bcf5ef4df30e835bd6cf344cefa345c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ouSs4myqb.bat

Filesize
198B

MD5
20357b541a5afc86bfdb1d62dc4da0ed

SHA1
2a387f6025c8836818e036fd7f17d5ad0414f48b

SHA256
3233762c490d32938cba400c1564a726db3e19f2b4b45e1341b6f0affb2bcddf

SHA512
5ff28423ca5064dd29c1a5efbb5d2d9cbb70eee6b97e034d90fe980e67f685e09953d72c2de6d9d7f82a13bcfd741010e175726ce3d44eb8dd140ec3b9fdd3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\KuZ4sAfWg1.bat

Filesize
198B

MD5
a732485e87ea4626ba724e1d14d1f37d

SHA1
b2a9f030260ed4da87d2440088825338569a294d

SHA256
73d8d0a5290d0d5a33983dd2350dfe8abf24b5022c830e1493821ec2a6d5310e

SHA512
c88b4ff432c2f65e9cc3372ef8001aeca8611a2ed200fc58d8aa03a637e7fa80e3daba4b83f968546ec40cdb747380d32ceaee1dc1c41c172ecef1bf416b6505

Download Submit
C:\Users\Admin\AppData\Local\Temp\MktaOoGz5H.bat

Filesize
198B

MD5
fd2a27a55cec623f8a46f0a042c275a6

SHA1
98420d3adf6aa4125bf0747d2c684de5f3120981

SHA256
58bb58d623f2566ed5e6590447932dbaae166ea0f1687fd7e74a16ccdac7467d

SHA512
a43731446b183803de7b74a1f759f72e74b9c53c5c3977c26d1ef3c57fedd695aa5e971167b6fc458269766a5ce2aee828c34d086cd2a9f553f75894235f507d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nq8CWMYud3.bat

Filesize
198B

MD5
78e2df5fc306ef4f04717339fb761a5c

SHA1
8a5cb2b0df2d8fc98a6dc6316d766f24617df510

SHA256
34a0318687cf046cac54f30bbf56f75d423308a736eabcbfcd96ac4ca99aec27

SHA512
ec1b2f49154945f3dc4b7383b3b8b586defe30126bd47bd1adcd061032606a9265084529643f8824ae12ad19c210c9a2abee24ffc4df7eb60d3a06bb931365c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat

Filesize
198B

MD5
259485deb1a35f74adfa9c48c5e379a9

SHA1
dd4aba3c4c56882a7c402f920bb4e436515fb57d

SHA256
e4076e6d72f8dfc3290bf3fe66c4947c3317afd94ca89a16b0a6b7f634b3e41b

SHA512
5805923b7e3154eaa03dd8f24eebce77f2b733afb3dbf910ab5878ac4e226df3f80d42bd476cddf5b7b5235a3560cf66a8446e45a26c487d5599abca428ed437

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEtDUAVWL6

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwooWRRTTU.bat

Filesize
198B

MD5
0dc8ad83bef70b794b19c8cc6b37077e

SHA1
97d72a6c0df1938af1ba38feb91e35517c874d19

SHA256
b603a748d77e6cd7cf1859ce8a8401ee89a8b98be01599727bd006cc1911d145

SHA512
a42279ff196b674785dd9cea4a9cecd3a715aab28cf245f0821c99e373694cdb313bd472dfeb180b8d5a3e151da9fbf0e58b5ec96843facaa0288baa027d58a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\edfcdfb3-58b5-409d-98bc-492dbbd01198.vbs

Filesize
485B

MD5
a0171ae83ac265b64077370749872d19

SHA1
171cf6c94c220492ef7246760d26baa5b1f8c536

SHA256
e6f500921c75bf7c2965c07446b48bf632a5b0052357ab8652daa7c859193bef

SHA512
f2a83598dfbb2eeab8d28cae5072455f147a437f6f77cb24b90811f80d6e19610901222dc126fd6c37d8151ec0583c92b641652fcbd5a8af3f29a39a53d5dbed

Download Submit
C:\Users\Admin\AppData\Local\Temp\iVSNdCnioL

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Windows\ModemLogs\RCX7CE4.tmp

Filesize
2.2MB

MD5
d49b746e993d91bc41fdba6a27ca17bc

SHA1
bc117ad939425c7c2ddb49024357b9c2fbbb53f5

SHA256
d7f5f19740d24e6320d80820d3a3bbc2dc24f54711ac1c62ef2d971d9f2cc0ad

SHA512
f4d75b2f5265449154bc0aea2c2a0eb4407f402da752a0486681433d0981bf4a3cc6e6102efe53010b6a033e9b5114643c2375369cacd0512a88be9f328d49fd

Download Submit
C:\browserperf\DnCoBuHIAvg.vbe

Filesize
210B

MD5
df0c2d3f2c34d6585dab72e7c7e68ee2

SHA1
39a9526dbbd2fb22ecb42dff06dc24b4b0f2101a

SHA256
7f161d5bd44126e0933e733b46b0c4912db345667277506cc78d08a9464bb3e0

SHA512
8bf10e01a9024173bfb06313932a151e601c97178b00e885e25509ea30bdc5f00017943d67095725f2d3dde608d4f6126ac52166639831f17d3ee3ae391e64a3

Download Submit
C:\browserperf\RcA8rkUQUHdsADqQUNtkjn.bat

Filesize
151B

MD5
9057cf6aa3be25586ce999472ed54810

SHA1
6f608a8f42892b7bb5383cbe5a3f0c6d7b66e45f

SHA256
f795fe0dcca481ca1f45663140832c1e3bf8c6d37f33712c67ae5d5dc90482ae

SHA512
7829c023b2dfce5751703ca26d1510d045e7c29ebe8ed086e65151eb22d0306316b26acda3a5d50568c42f94c8b42a762525adbaae4f4f39f6ceba05ec82f0f6

Download Submit
C:\browserperf\services.exe

Filesize
2.2MB

MD5
6aea68d9fd0d1be38cc4f2842baae324

SHA1
125f921ff80bc54756fad0486c6358b8ada0330f

SHA256
343dd53cf0524c139e3ab30b5b5fd3c4ee45760ab8c7bab6629d23876cae9447

SHA512
b0e98159df8b6b2b1299279dd2cc7cee765d50d0e2604547c3f7aabd2dc42e032282bdc8139d6cce8c186f892dd0d88d84ba6495112bfd11ec30e8a37229ed83

Download Submit
\browserperf\BlockDriversession.exe

Filesize
2.2MB

MD5
1c6457696f89995d1d3140df11bb13d8

SHA1
9ce32ce6cd29863252e71f1b0246a18879d72020

SHA256
c16bc78cb749185c3a983fe9b739b3d47fd79265b0fc7c3c9527a2f0e9599294

SHA512
71dd011a43a4c71d692505006831449390cd0a9febc1b0b215d141cacbc603b1b13945d356ae4a2c6ecec2fbd4e43d6d714cac3505fec94e453e6da814f670f5

Download Submit
memory/1796-215-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/1796-214-0x0000000000F80000-0x00000000011AE000-memory.dmp

Filesize
2.2MB

Download
memory/2476-289-0x0000000000CE0000-0x0000000000CF2000-memory.dmp

Filesize
72KB

Download
memory/2884-22-0x0000000000C90000-0x0000000000CA0000-memory.dmp

Filesize
64KB

Download
memory/2884-26-0x0000000001240000-0x000000000124C000-memory.dmp

Filesize
48KB

Download
memory/2884-36-0x000000001ACF0000-0x000000001ACFE000-memory.dmp

Filesize
56KB

Download
memory/2884-37-0x000000001AD40000-0x000000001AD4C000-memory.dmp

Filesize
48KB

Download
memory/2884-38-0x000000001AD50000-0x000000001AD58000-memory.dmp

Filesize
32KB

Download
memory/2884-39-0x000000001AD60000-0x000000001AD6C000-memory.dmp

Filesize
48KB

Download
memory/2884-34-0x000000001ACD0000-0x000000001ACDE000-memory.dmp

Filesize
56KB

Download
memory/2884-33-0x000000001A8F0000-0x000000001A8FA000-memory.dmp

Filesize
40KB

Download
memory/2884-32-0x000000001A8E0000-0x000000001A8EC000-memory.dmp

Filesize
48KB

Download
memory/2884-31-0x000000001A8D0000-0x000000001A8DC000-memory.dmp

Filesize
48KB

Download
memory/2884-30-0x000000001A8C0000-0x000000001A8CC000-memory.dmp

Filesize
48KB

Download
memory/2884-29-0x0000000001260000-0x0000000001272000-memory.dmp

Filesize
72KB

Download
memory/2884-27-0x0000000001250000-0x0000000001258000-memory.dmp

Filesize
32KB

Download
memory/2884-35-0x000000001ACE0000-0x000000001ACE8000-memory.dmp

Filesize
32KB

Download
memory/2884-25-0x0000000001230000-0x0000000001238000-memory.dmp

Filesize
32KB

Download
memory/2884-24-0x0000000000D20000-0x0000000000D2C000-memory.dmp

Filesize
48KB

Download
memory/2884-23-0x0000000000C80000-0x0000000000C8A000-memory.dmp

Filesize
40KB

Download
memory/2884-21-0x0000000000C70000-0x0000000000C78000-memory.dmp

Filesize
32KB

Download
memory/2884-20-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/2884-19-0x0000000000C50000-0x0000000000C66000-memory.dmp

Filesize
88KB

Download
memory/2884-18-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/2884-17-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/2884-16-0x00000000006D0000-0x00000000006EC000-memory.dmp

Filesize
112KB

Download
memory/2884-15-0x0000000000340000-0x000000000034E000-memory.dmp

Filesize
56KB

Download
memory/2884-14-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download
memory/2884-13-0x0000000001270000-0x000000000149E000-memory.dmp

Filesize
2.2MB

Download