dcrat | 5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Size

3.4MB
MD5

2940f67b5851b30f69161aa3b45ba520
SHA1

2f0c61903289e0321a7fd6af12b2f347a5c57184
SHA256

5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14
SHA512

ccfe70dd9f94f8102b8860077e834ba45c8283619f2f8d1235bdbe63622e64b516ed9d9ec5cf59dcb4f5983a8c377f9bf901b42a47c28b21bfc17ea855bd4b82
SSDEEP

49152:xZXrXU/5+Zc5SVROVisjq7miG9vv2SNty1kIP2XMxARdp:xZzU4c5SMXq7miAX2SNty1xPuMyHp

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 26 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
1000	schtasks.exe
328	schtasks.exe
108	schtasks.exe
1132	schtasks.exe
2388	schtasks.exe
1208	schtasks.exe
648	schtasks.exe
1360	schtasks.exe
2260	schtasks.exe
1128	schtasks.exe
684	schtasks.exe
1448	schtasks.exe
2912	schtasks.exe
File created	C:\Program Files (x86)\Windows Mail\42af1c969fbb7b	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
1276	schtasks.exe
1620	schtasks.exe
284	schtasks.exe
772	schtasks.exe
2016	schtasks.exe
1700	schtasks.exe
1720	schtasks.exe
592	schtasks.exe
288	schtasks.exe
2044	schtasks.exe
1724	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\audiodg.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\fr-FR\\services.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\audiodg.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\fr-FR\\services.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\audiodg.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\fr-FR\\services.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\audiodg.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\fr-FR\\services.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\Program Files\\Uninstall Information\\Idle.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\audiodg.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\fr-FR\\services.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\audiodg.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\fr-FR\\services.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\All Users\\taskhost.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\audiodg.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\audiodg.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\services.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	796	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	796	schtasks.exe

UAC bypass 3 TTPs 18 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2652-1-0x0000000000030000-0x000000000039A000-memory.dmp	dcrat
C:\MSOCache\All Users\taskhost.exe	dcrat
behavioral1/memory/2340-61-0x0000000000D40000-0x00000000010AA000-memory.dmp	dcrat
behavioral1/memory/2112-108-0x00000000012C0000-0x000000000162A000-memory.dmp	dcrat

Executes dropped EXE 5 IoCs

Processes:

audiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe

pid process

2340 audiodg.exe
2396 audiodg.exe
2556 audiodg.exe
1972 audiodg.exe
2112 audiodg.exe

pid	process
2340	audiodg.exe
2396	audiodg.exe
2556	audiodg.exe
1972	audiodg.exe
2112	audiodg.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Uninstall Information\\Idle.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Windows Mail\\audiodg.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\taskhost.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Uninstall Information\\Idle.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Journal\\fr-FR\\services.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows NT\\TableTextService\\fr-FR\\services.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\csrss.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\All Users\\taskhost.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\All Users\\taskhost.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\taskhost.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows NT\\TableTextService\\fr-FR\\services.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Windows Mail\\audiodg.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Journal\\fr-FR\\services.exe\""	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe

Drops file in Program Files directory 11 IoCs

Processes:

5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe

description	ioc	process
File created	C:\Program Files\Windows NT\TableTextService\fr-FR\services.exe	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\c5b4cb5e9653cc	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
File created	C:\Program Files\Uninstall Information\Idle.exe	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
File created	C:\Program Files\Uninstall Information\6ccacd8608530f	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\audiodg.exe	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
File created	C:\Program Files (x86)\Windows Mail\42af1c969fbb7b	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
File created	C:\Program Files\Windows Journal\fr-FR\services.exe	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
File created	C:\Program Files\Windows Journal\fr-FR\c5b4cb5e9653cc	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
File created	C:\Program Files\Windows NT\TableTextService\fr-FR\c5b4cb5e9653cc	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\services.exe	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
File created	C:\Program Files (x86)\Windows Mail\audiodg.exe	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1720	schtasks.exe
2912	schtasks.exe
1276	schtasks.exe
1620	schtasks.exe
2016	schtasks.exe
1360	schtasks.exe
648	schtasks.exe
772	schtasks.exe
1448	schtasks.exe
2260	schtasks.exe
1132	schtasks.exe
1700	schtasks.exe
2388	schtasks.exe
684	schtasks.exe
592	schtasks.exe
1000	schtasks.exe
1208	schtasks.exe
328	schtasks.exe
284	schtasks.exe
1724	schtasks.exe
108	schtasks.exe
2044	schtasks.exe
1128	schtasks.exe
288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exeaudiodg.exeaudiodg.exe

pid	process
2652	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
2652	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
2652	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
2652	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
2652	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
2652	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
2652	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2340	audiodg.exe
2396	audiodg.exe
2396	audiodg.exe
2396	audiodg.exe
2396	audiodg.exe
2396	audiodg.exe
2396	audiodg.exe
2396	audiodg.exe
2396	audiodg.exe
2396	audiodg.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe

description	pid	process
Token: SeDebugPrivilege	2652	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Token: SeDebugPrivilege	2340	audiodg.exe
Token: SeDebugPrivilege	2396	audiodg.exe
Token: SeDebugPrivilege	2556	audiodg.exe
Token: SeDebugPrivilege	1972	audiodg.exe
Token: SeDebugPrivilege	2112	audiodg.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exeaudiodg.exeWScript.exeaudiodg.exeWScript.exeaudiodg.exeWScript.exeaudiodg.exeWScript.exeaudiodg.exe

description	pid	process	target process
PID 2652 wrote to memory of 2340	2652	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe	audiodg.exe
PID 2652 wrote to memory of 2340	2652	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe	audiodg.exe
PID 2652 wrote to memory of 2340	2652	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe	audiodg.exe
PID 2340 wrote to memory of 792	2340	audiodg.exe	WScript.exe
PID 2340 wrote to memory of 792	2340	audiodg.exe	WScript.exe
PID 2340 wrote to memory of 792	2340	audiodg.exe	WScript.exe
PID 2340 wrote to memory of 1984	2340	audiodg.exe	WScript.exe
PID 2340 wrote to memory of 1984	2340	audiodg.exe	WScript.exe
PID 2340 wrote to memory of 1984	2340	audiodg.exe	WScript.exe
PID 792 wrote to memory of 2396	792	WScript.exe	audiodg.exe
PID 792 wrote to memory of 2396	792	WScript.exe	audiodg.exe
PID 792 wrote to memory of 2396	792	WScript.exe	audiodg.exe
PID 2396 wrote to memory of 2776	2396	audiodg.exe	WScript.exe
PID 2396 wrote to memory of 2776	2396	audiodg.exe	WScript.exe
PID 2396 wrote to memory of 2776	2396	audiodg.exe	WScript.exe
PID 2396 wrote to memory of 2740	2396	audiodg.exe	WScript.exe
PID 2396 wrote to memory of 2740	2396	audiodg.exe	WScript.exe
PID 2396 wrote to memory of 2740	2396	audiodg.exe	WScript.exe
PID 2776 wrote to memory of 2556	2776	WScript.exe	audiodg.exe
PID 2776 wrote to memory of 2556	2776	WScript.exe	audiodg.exe
PID 2776 wrote to memory of 2556	2776	WScript.exe	audiodg.exe
PID 2556 wrote to memory of 2856	2556	audiodg.exe	WScript.exe
PID 2556 wrote to memory of 2856	2556	audiodg.exe	WScript.exe
PID 2556 wrote to memory of 2856	2556	audiodg.exe	WScript.exe
PID 2556 wrote to memory of 3048	2556	audiodg.exe	WScript.exe
PID 2556 wrote to memory of 3048	2556	audiodg.exe	WScript.exe
PID 2556 wrote to memory of 3048	2556	audiodg.exe	WScript.exe
PID 2856 wrote to memory of 1972	2856	WScript.exe	audiodg.exe
PID 2856 wrote to memory of 1972	2856	WScript.exe	audiodg.exe
PID 2856 wrote to memory of 1972	2856	WScript.exe	audiodg.exe
PID 1972 wrote to memory of 1936	1972	audiodg.exe	WScript.exe
PID 1972 wrote to memory of 1936	1972	audiodg.exe	WScript.exe
PID 1972 wrote to memory of 1936	1972	audiodg.exe	WScript.exe
PID 1972 wrote to memory of 2180	1972	audiodg.exe	WScript.exe
PID 1972 wrote to memory of 2180	1972	audiodg.exe	WScript.exe
PID 1972 wrote to memory of 2180	1972	audiodg.exe	WScript.exe
PID 1936 wrote to memory of 2112	1936	WScript.exe	audiodg.exe
PID 1936 wrote to memory of 2112	1936	WScript.exe	audiodg.exe
PID 1936 wrote to memory of 2112	1936	WScript.exe	audiodg.exe
PID 2112 wrote to memory of 2212	2112	audiodg.exe	WScript.exe
PID 2112 wrote to memory of 2212	2112	audiodg.exe	WScript.exe
PID 2112 wrote to memory of 2212	2112	audiodg.exe	WScript.exe
PID 2112 wrote to memory of 2752	2112	audiodg.exe	WScript.exe
PID 2112 wrote to memory of 2752	2112	audiodg.exe	WScript.exe
PID 2112 wrote to memory of 2752	2112	audiodg.exe	WScript.exe

System policy modification 1 TTPs 18 IoCs

evasion

Modify Registry

T1112

Processes:

5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe
"C:\Users\Admin\AppData\Local\Temp\5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14N.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2652
- C:\Program Files (x86)\Windows Mail\audiodg.exe
  "C:\Program Files (x86)\Windows Mail\audiodg.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2340
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07e5c7bf-9d4d-4aa0-9c90-3e74fd1b5ac5.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Program Files (x86)\Windows Mail\audiodg.exe
      "C:\Program Files (x86)\Windows Mail\audiodg.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2396
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a31ea05-97d7-4326-b9ec-ce553924af74.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Program Files (x86)\Windows Mail\audiodg.exe
        
        "C:\Program Files (x86)\Windows Mail\audiodg.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5119350-58b0-4b18-82e2-fb22397f4bb1.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Program Files (x86)\Windows Mail\audiodg.exe
        
        "C:\Program Files (x86)\Windows Mail\audiodg.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1cdb459-bcca-45ac-9910-d80a533acbeb.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Program Files (x86)\Windows Mail\audiodg.exe
        
        "C:\Program Files (x86)\Windows Mail\audiodg.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\509e327b-a5e7-4320-b98b-ba615a0d8dbc.vbs"
        11⤵
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\433f1008-a4e9-42cf-bd24-22b79b81adcb.vbs"
        11⤵
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b71e144-e0a2-4378-bf5d-55f3d3d9c327.vbs"
        9⤵
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c61c560-92da-4d5e-a347-9fa4bd193906.vbs"
        7⤵
        
        PID:3048
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4450c71b-af7d-4c31-8de1-9660325ce048.vbs"
        5⤵
        
        PID:2740
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6a5c08e-0a52-4a02-b130-2e5c4e175c6f.vbs"
    3⤵
    PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\fr-FR\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\taskhost.exe

Filesize
3.4MB

MD5
2940f67b5851b30f69161aa3b45ba520

SHA1
2f0c61903289e0321a7fd6af12b2f347a5c57184

SHA256
5fc67c6c7caec34905dbcaf6d4eb90f1115bc71d57b0ee07f9481620cfd12b14

SHA512
ccfe70dd9f94f8102b8860077e834ba45c8283619f2f8d1235bdbe63622e64b516ed9d9ec5cf59dcb4f5983a8c377f9bf901b42a47c28b21bfc17ea855bd4b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\07e5c7bf-9d4d-4aa0-9c90-3e74fd1b5ac5.vbs

Filesize
723B

MD5
0598c8d03d0cef6c245e900b31e76696

SHA1
f082c1e6fd8b095370a88a3fd239b4fab1afbdfb

SHA256
e3acf2aa9ade7c388498ef1090a2393cf8609f9b163175ec171af3d25d02852a

SHA512
1a89046519ad8e8656a1b79463a7dc71afba05a65cc19f6105efeda94228f9ba629d66e713fd440baf617a5fc3ba9c2d8768562048608a737418f8552ba745c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a31ea05-97d7-4326-b9ec-ce553924af74.vbs

Filesize
723B

MD5
28bae2b6513174d037b4e77dffb3be3d

SHA1
a44538eba44e73393a1c9c41fee5ebbe61eafacd

SHA256
d7d59a64501fcb00b5c962b9228b0c6ff4319d5234a77664fa0b0d50c3073474

SHA512
2cbfb9965a6192baeef14e3b68d42dd108950d04921124c1f4882c6948731d1601551bd5f23beb16e7aaa76758f65f1725f998e0c747491116cc581efefd2f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\509e327b-a5e7-4320-b98b-ba615a0d8dbc.vbs

Filesize
723B

MD5
bc357a03a7ca1587d0ec24580f84cbb5

SHA1
bc5b43abb2d8839b04ebe17e71ecc1575c33187e

SHA256
2d9e164d533891f5c1389593e8895f54328eecdb673a18c5cc82943fc0486adc

SHA512
73b4ea669f688f0142c6fe31e3768ce0a2edb1fcfa180f38a1559c983f2192332cbe51cb8e411c75e1b4fe1f0367d1bd86ecf784b32c13af909d12282cae76ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5119350-58b0-4b18-82e2-fb22397f4bb1.vbs

Filesize
723B

MD5
c3ee32886e05e5943dc35b370a969123

SHA1
f282867c24d82fdd3dd5637f4b72ac7093bcf4e2

SHA256
7707a259fbfbadfcec76dab0735ce97c81b1c4aa67daeb0c198982b7507e9fa2

SHA512
2492cb3b3406ecd891b79793683b6c522aa2f8bd09880d703716ffa67322eeafffb5f9c3af5734b214561e902ae3f9e56ec74977855812369032034161bc336a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1cdb459-bcca-45ac-9910-d80a533acbeb.vbs

Filesize
723B

MD5
16155a73142d01e5b00343a55949fe67

SHA1
754f9bff3ecf193492e30e3f9c59dec594aad6e8

SHA256
5b85b32af30d05c04ed07abe9a6315416f6b0e4b9bd547dd1bd7a82abf5f5d99

SHA512
85074cf656faf1a0a06d33227cc8eec35ba78bad00a32b97e48640ff091fc50c062999606877173d056fae95660794db16a50f20d27f03c7139ef04a1a6bc763

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6a5c08e-0a52-4a02-b130-2e5c4e175c6f.vbs

Filesize
499B

MD5
225f189b425e014272149e96ad7a145f

SHA1
eeed2dea3e858c187ed0d6cab643b4bf220b220d

SHA256
b5588d6a80536d5b95febb43057f5d0610c5b1901bbfe1e4d044a4cc18005541

SHA512
f8ec81c4a9b26a6b74aa1ac3f640000215e8a1643432d25fb951ce3f3c765878dfa83002568a5e5bc06b52cdfe73af01d8a82ece7e46b48cbef3bc0054f431af

Download Submit
memory/2112-108-0x00000000012C0000-0x000000000162A000-memory.dmp

Filesize
3.4MB

Download
memory/2340-61-0x0000000000D40000-0x00000000010AA000-memory.dmp

Filesize
3.4MB

Download
memory/2340-62-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/2396-73-0x0000000000CF0000-0x0000000000D46000-memory.dmp

Filesize
344KB

Download
memory/2556-85-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download
memory/2652-19-0x000000001ADE0000-0x000000001ADEC000-memory.dmp

Filesize
48KB

Download
memory/2652-26-0x000000001B050000-0x000000001B05C000-memory.dmp

Filesize
48KB

Download
memory/2652-10-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2652-9-0x00000000024B0000-0x00000000024C6000-memory.dmp

Filesize
88KB

Download
memory/2652-11-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2652-12-0x000000001A8F0000-0x000000001A8FC000-memory.dmp

Filesize
48KB

Download
memory/2652-13-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2652-14-0x000000001A900000-0x000000001A910000-memory.dmp

Filesize
64KB

Download
memory/2652-15-0x000000001A910000-0x000000001A91A000-memory.dmp

Filesize
40KB

Download
memory/2652-16-0x000000001AD80000-0x000000001ADD6000-memory.dmp

Filesize
344KB

Download
memory/2652-17-0x000000001A920000-0x000000001A92C000-memory.dmp

Filesize
48KB

Download
memory/2652-18-0x000000001ADD0000-0x000000001ADD8000-memory.dmp

Filesize
32KB

Download
memory/2652-7-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/2652-20-0x000000001ADF0000-0x000000001ADF8000-memory.dmp

Filesize
32KB

Download
memory/2652-21-0x000000001AFE0000-0x000000001AFF2000-memory.dmp

Filesize
72KB

Download
memory/2652-22-0x000000001B010000-0x000000001B01C000-memory.dmp

Filesize
48KB

Download
memory/2652-23-0x000000001B020000-0x000000001B02C000-memory.dmp

Filesize
48KB

Download
memory/2652-25-0x000000001B040000-0x000000001B04C000-memory.dmp

Filesize
48KB

Download
memory/2652-24-0x000000001B030000-0x000000001B038000-memory.dmp

Filesize
32KB

Download
memory/2652-8-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/2652-27-0x000000001B060000-0x000000001B068000-memory.dmp

Filesize
32KB

Download
memory/2652-28-0x000000001B070000-0x000000001B07C000-memory.dmp

Filesize
48KB

Download
memory/2652-29-0x000000001B080000-0x000000001B08A000-memory.dmp

Filesize
40KB

Download
memory/2652-30-0x000000001B090000-0x000000001B09E000-memory.dmp

Filesize
56KB

Download
memory/2652-31-0x000000001B0A0000-0x000000001B0A8000-memory.dmp

Filesize
32KB

Download
memory/2652-32-0x000000001B0B0000-0x000000001B0BE000-memory.dmp

Filesize
56KB

Download
memory/2652-33-0x000000001B0C0000-0x000000001B0C8000-memory.dmp

Filesize
32KB

Download
memory/2652-34-0x000000001B0D0000-0x000000001B0DC000-memory.dmp

Filesize
48KB

Download
memory/2652-6-0x00000000022D0000-0x00000000022EC000-memory.dmp

Filesize
112KB

Download
memory/2652-5-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/2652-4-0x0000000002270000-0x000000000227E000-memory.dmp

Filesize
56KB

Download
memory/2652-3-0x0000000000740000-0x000000000074E000-memory.dmp

Filesize
56KB

Download
memory/2652-2-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-1-0x0000000000030000-0x000000000039A000-memory.dmp

Filesize
3.4MB

Download
memory/2652-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/2652-35-0x000000001B0E0000-0x000000001B0E8000-memory.dmp

Filesize
32KB

Download
memory/2652-36-0x000000001B0F0000-0x000000001B0FA000-memory.dmp

Filesize
40KB

Download
memory/2652-37-0x000000001B100000-0x000000001B10C000-memory.dmp

Filesize
48KB

Download
memory/2652-60-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download