dcrat | c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Size

4.9MB
MD5

7bcee51d69d6f7f7872dade20a2c5916
SHA1

4ad1278f8368527aa02d08c6ee86da5b22be2cab
SHA256

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2
SHA512

8da8506093074361776f8b1693a2058fc6775be636034237c8ef7f5a03d422b881a9c8ea047b8d89bc314c649ba0c3bd7a16ac8dcd4c41d788135845bd151e34
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8u:G

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	1008	schtasks.exe

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

services.exeservices.exeservices.exeservices.exeservices.exec24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exeservices.exeservices.exeservices.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2916-2-0x000000001B640000-0x000000001B76E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2072	powershell.exe
1896	powershell.exe
2272	powershell.exe
2052	powershell.exe
3068	powershell.exe
1700	powershell.exe
2152	powershell.exe
1356	powershell.exe
1920	powershell.exe
552	powershell.exe
1760	powershell.exe
2276	powershell.exe

Executes dropped EXE 8 IoCs

Processes:

services.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

pid process

2632 services.exe
2708 services.exe
1800 services.exe
2360 services.exe
2560 services.exe
2704 services.exe
1804 services.exe
1528 services.exe

pid	process
2632	services.exe
2708	services.exe
1800	services.exe
2360	services.exe
2560	services.exe
2704	services.exe
1804	services.exe
1528	services.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Drops file in Program Files directory 12 IoCs

Processes:

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe

description	ioc	process
File created	C:\Program Files\Uninstall Information\101b941d020240	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files\Windows Portable Devices\services.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\RCX147C.tmp	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX1691.tmp	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\sppsvc.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files\Windows Portable Devices\services.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files\Uninstall Information\lsm.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files\Uninstall Information\lsm.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\sppsvc.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\0a1fd5f707cd16	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files\Windows Portable Devices\c5b4cb5e9653cc	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX1279.tmp	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe

Drops file in Windows directory 4 IoCs

Processes:

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe

description	ioc	process
File created	C:\Windows\Prefetch\ReadyBoot\wininit.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Windows\Prefetch\ReadyBoot\56085415360792	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCX1B15.tmp	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\wininit.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3020	schtasks.exe
2592	schtasks.exe
340	schtasks.exe
2672	schtasks.exe
2568	schtasks.exe
2632	schtasks.exe
796	schtasks.exe
2584	schtasks.exe
2192	schtasks.exe
636	schtasks.exe
2144	schtasks.exe
2884	schtasks.exe
2044	schtasks.exe
2892	schtasks.exe
1460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

pid	process
2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
1760	powershell.exe
1700	powershell.exe
1896	powershell.exe
2276	powershell.exe
3068	powershell.exe
2272	powershell.exe
1920	powershell.exe
2052	powershell.exe
1356	powershell.exe
2152	powershell.exe
552	powershell.exe
2072	powershell.exe
2632	services.exe
2708	services.exe
1800	services.exe
2360	services.exe
2560	services.exe
2704	services.exe
1804	services.exe
1528	services.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2632	services.exe
Token: SeDebugPrivilege	2708	services.exe
Token: SeDebugPrivilege	1800	services.exe
Token: SeDebugPrivilege	2360	services.exe
Token: SeDebugPrivilege	2560	services.exe
Token: SeDebugPrivilege	2704	services.exe
Token: SeDebugPrivilege	1804	services.exe
Token: SeDebugPrivilege	1528	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.execmd.exeservices.exeWScript.exeservices.exeWScript.exeservices.exe

description	pid	process	target process
PID 2916 wrote to memory of 552	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 552	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 552	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 1760	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 1760	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 1760	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 2276	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 2276	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 2276	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 2272	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 2272	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 2272	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 2052	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 2052	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 2052	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 3068	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 3068	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 3068	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 1700	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 1700	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 1700	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 2072	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 2072	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 2072	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 2152	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 2152	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 2152	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 1896	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 1896	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 1896	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 1356	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 1356	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 1356	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 1920	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 1920	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 1920	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2916 wrote to memory of 1348	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	cmd.exe
PID 2916 wrote to memory of 1348	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	cmd.exe
PID 2916 wrote to memory of 1348	2916	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	cmd.exe
PID 1348 wrote to memory of 1592	1348	cmd.exe	w32tm.exe
PID 1348 wrote to memory of 1592	1348	cmd.exe	w32tm.exe
PID 1348 wrote to memory of 1592	1348	cmd.exe	w32tm.exe
PID 1348 wrote to memory of 2632	1348	cmd.exe	services.exe
PID 1348 wrote to memory of 2632	1348	cmd.exe	services.exe
PID 1348 wrote to memory of 2632	1348	cmd.exe	services.exe
PID 2632 wrote to memory of 2816	2632	services.exe	WScript.exe
PID 2632 wrote to memory of 2816	2632	services.exe	WScript.exe
PID 2632 wrote to memory of 2816	2632	services.exe	WScript.exe
PID 2632 wrote to memory of 2404	2632	services.exe	WScript.exe
PID 2632 wrote to memory of 2404	2632	services.exe	WScript.exe
PID 2632 wrote to memory of 2404	2632	services.exe	WScript.exe
PID 2816 wrote to memory of 2708	2816	WScript.exe	services.exe
PID 2816 wrote to memory of 2708	2816	WScript.exe	services.exe
PID 2816 wrote to memory of 2708	2816	WScript.exe	services.exe
PID 2708 wrote to memory of 1248	2708	services.exe	WScript.exe
PID 2708 wrote to memory of 1248	2708	services.exe	WScript.exe
PID 2708 wrote to memory of 1248	2708	services.exe	WScript.exe
PID 2708 wrote to memory of 324	2708	services.exe	WScript.exe
PID 2708 wrote to memory of 324	2708	services.exe	WScript.exe
PID 2708 wrote to memory of 324	2708	services.exe	WScript.exe
PID 1248 wrote to memory of 1800	1248	WScript.exe	services.exe
PID 1248 wrote to memory of 1800	1248	WScript.exe	services.exe
PID 1248 wrote to memory of 1800	1248	WScript.exe	services.exe
PID 1800 wrote to memory of 1680	1800	services.exe	WScript.exe

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

Processes:

services.exeservices.exeservices.exeservices.exeservices.exeservices.exec24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exeservices.exeservices.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
"C:\Users\Admin\AppData\Local\Temp\c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nOwkk2A6N3.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1592
- - C:\Program Files\Windows Portable Devices\services.exe
    "C:\Program Files\Windows Portable Devices\services.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2632
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f9f133a-88e3-45ec-9753-c53c7f19cbe0.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Program Files\Windows Portable Devices\services.exe
        
        "C:\Program Files\Windows Portable Devices\services.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2708
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87d47399-5329-469f-bb90-4345f81466b2.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Program Files\Windows Portable Devices\services.exe
        
        "C:\Program Files\Windows Portable Devices\services.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eac8a23e-3753-41c6-bfa1-096b4e69154f.vbs"
        8⤵
        
        PID:1680
        
        C:\Program Files\Windows Portable Devices\services.exe
        
        "C:\Program Files\Windows Portable Devices\services.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\905908d4-706a-4ab4-91ed-7e3edcfe3fb3.vbs"
        10⤵
        
        PID:1976
        
        C:\Program Files\Windows Portable Devices\services.exe
        
        "C:\Program Files\Windows Portable Devices\services.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\238e367b-e258-4a72-a186-8b98ceb0068e.vbs"
        12⤵
        
        PID:1856
        
        C:\Program Files\Windows Portable Devices\services.exe
        
        "C:\Program Files\Windows Portable Devices\services.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96eda226-5906-4e87-999e-a6091ecca635.vbs"
        14⤵
        
        PID:1956
        
        C:\Program Files\Windows Portable Devices\services.exe
        
        "C:\Program Files\Windows Portable Devices\services.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d04a8159-4ab4-40a0-b6ae-1b3d5b8bfd84.vbs"
        16⤵
        
        PID:2136
        
        C:\Program Files\Windows Portable Devices\services.exe
        
        "C:\Program Files\Windows Portable Devices\services.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e82a341b-9d72-48ca-88b3-bc7828138288.vbs"
        18⤵
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e0238aa-cf9a-4a6a-98fb-1a33de65d48d.vbs"
        18⤵
        
        PID:1144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed02c431-682d-40b8-a7e1-977b3610c779.vbs"
        16⤵
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bd80662-ec7f-44df-9a39-52bf2740ce91.vbs"
        14⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c91f0d57-b7c5-43b5-82ad-305a724c2224.vbs"
        12⤵
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cd0f90f-3321-4548-840c-31205ab6f812.vbs"
        10⤵
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a22e08c6-075f-4623-abfa-37723ef45e8e.vbs"
        8⤵
        
        PID:2864
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04b27d49-ca68-4955-8ff4-9272272d3ede.vbs"
        6⤵
        
        PID:324
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5d0a832-08f0-47f4-8ce2-02000acd3300.vbs"
      4⤵
      PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\Sample Music\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\238e367b-e258-4a72-a186-8b98ceb0068e.vbs

Filesize
730B

MD5
8444ece07fa614a0a93c24e4d8399993

SHA1
a2fffc847a9789fcd87d824a8be4aa9bb9436623

SHA256
78fe13db375e355067bb203fb44bf713ea38bb3d9dfb62421db0b315b65cdbf2

SHA512
b4869e0ce394d5c731a2c9f9f653c52cad3447d1c08eb3e5979885542459a56729d180383e4f38f2c88eaf671864f5d4b0961b08c3cc03d8f1e1f311a4a58fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f9f133a-88e3-45ec-9753-c53c7f19cbe0.vbs

Filesize
730B

MD5
83c7caf5e4f3036598ba0f045b0a327b

SHA1
26b869d37bd845940af256f2b2cf9323834b5d4f

SHA256
f683f1de3195742643eb0ee191a4d751cfb1ed6c441a9ef901af2c371cd34fb4

SHA512
5bdd8ce05dd67ed1d25674d2ebf10b5e1e460b44b1bf5ad9bbaee0e3237ebb9763057fe8c68cb61388e42f821968de6df6cc59428abb8aff29ca31faddc38d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\87d47399-5329-469f-bb90-4345f81466b2.vbs

Filesize
730B

MD5
a512832518698954ad93b773756fd292

SHA1
bacb8e384723cf951fd96ce3c0e7402cb6a2a30c

SHA256
391e6461090f954700bbb3bda5926f57d850935696e4e3415bac7158908e4110

SHA512
9e2fdaecc3f4e2aeb6c7ed6b9b564fecc1a3933821d6b9c66792bd32bd81b0e21150635eeea44c4dc2172d7ab0e7ed12f936f4a874532be28dcc37bdec1ddfd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\905908d4-706a-4ab4-91ed-7e3edcfe3fb3.vbs

Filesize
730B

MD5
46536ea4e712970e32d39c64e7cf98b0

SHA1
de5ac4879050f05c922ca41d5b874a2046282eef

SHA256
2c30d7b3529e8610cdac08c003d2ebd81e27b286310ab5e6b5cd45706f7a6eb2

SHA512
a14bd2fcefa750c145c833bf3e6560e5319ba10977259de4c2d12066244a27f798e7c0cc25cdae033f7381f8cfe01c6c76159cf14064febf29802fb9159c146e

Download Submit
C:\Users\Admin\AppData\Local\Temp\96eda226-5906-4e87-999e-a6091ecca635.vbs

Filesize
730B

MD5
9cd207cf22bc5c51f6d60e132a7965b8

SHA1
c1a259673d3e6a6e69fd4bd49909145c43253837

SHA256
6f41851cbce87196cafcb0a074287bb31882550875c0ec830588770d5e644539

SHA512
44670c029bfc211331f952309993b53f70f7091e854fa56422f065656aed63853a38aec970b907ff72f28e2fab9665cfd109d2b3bd8672cefdcfd54109dfc148

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d0a832-08f0-47f4-8ce2-02000acd3300.vbs

Filesize
506B

MD5
8408b5a3bff856132c91a99ae8f5e853

SHA1
6fe5e32146b2e95c3d2e66da104921770d0ab419

SHA256
f23ab3e78c5a4ed2378929c9dd691a17b5c6402c2cbde022a59d4a790f250084

SHA512
889a537e3337b7056f5edb3d3d6d40b754c9a77527c0f5c630ce248ede04e08f126e2ded601af28f02fe3a7b785430d5611bbb8c454e44048bc47db3cb7f9717

Download Submit
C:\Users\Admin\AppData\Local\Temp\d04a8159-4ab4-40a0-b6ae-1b3d5b8bfd84.vbs

Filesize
730B

MD5
05eba2aeffdc0403eba538518cd758f3

SHA1
f2a5b0ddf1062bf394c33ff3d3d9e5018629b0e3

SHA256
a811939284e85146df2c0f662ac9f93d590f1aa4a394e83a4e84b4e9dcaf127c

SHA512
af47dd775fc659e1004f079bb4d933c60d1eb3dbf48fcde03574ad1e9ee6f874d1f5a793704d3619d9b4cdc0bcfef27f4b57fae630c272ee50db9dd61cf4beea

Download Submit
C:\Users\Admin\AppData\Local\Temp\e82a341b-9d72-48ca-88b3-bc7828138288.vbs

Filesize
730B

MD5
13e83c63b1bbe87d999baa625d8be3d0

SHA1
6af9f3891d92ac75dac4b9f95820f708e519d8be

SHA256
e99fbac0ca2888423e15c226ea4b176d67d64a55f0077f3a349ec60c5ed19cf0

SHA512
038802d2bbea5ae754ea19d8741edbfc9edeea8f46437233eb889c88afdc8a807c0b3191c119e0927ec355e93cc85a70723430560b92e71bc7bac72dc5397122

Download Submit
C:\Users\Admin\AppData\Local\Temp\eac8a23e-3753-41c6-bfa1-096b4e69154f.vbs

Filesize
730B

MD5
57546fceeb2e101a7c3a638b150a2fbc

SHA1
657758d3c4925d9c5c7b0d2944f4ecefc674e36a

SHA256
6095b7075f561e087af093397ebc5c671e79dde2af435ba0d21a0ab785ae1dbe

SHA512
c871249e3a5a6820245b51c94039a86c07863e84a48527904d8bcae50cf3993dfb01a9a3f53cdd50564e6ce13f4488b2d715c4d693b1c2c5435e825d478c963f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nOwkk2A6N3.bat

Filesize
219B

MD5
a3ab3b480ae76c51daa05838e7fd96da

SHA1
85a1973ce4baa8c06caefde8d774ab76be7b4a4d

SHA256
71a848cfa4c618568309f9af722fcec7003feec458f618a513bc7c5405e3e7ec

SHA512
29a67c07882b29071a29cf9a948debd12fd209570dc5c38b72365b48919c5565da519b3504ddc68291bbd546da4e2de93288c5ed5f3d2a8cfe8b8c84a4c70e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4450.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8548d8318b8d4c326dc9175b1001c63d

SHA1
9965327be352d665c0bfe96f4556fe0ba325a89b

SHA256
8b34aec88d75b8690ec8aaf752296302cf4a6cae2c58e80cf2339df6c5ec18a6

SHA512
074a5e521a3bb944077bb95755d7370f5bdbffc65a7944202cc462d0f884ebd6c62999837786898556b5f1fdcf2d7dfd5f9aecf68ba02ff7264c30c67ddaf61d

Download Submit
C:\Windows\Prefetch\ReadyBoot\wininit.exe

Filesize
4.9MB

MD5
7bcee51d69d6f7f7872dade20a2c5916

SHA1
4ad1278f8368527aa02d08c6ee86da5b22be2cab

SHA256
c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2

SHA512
8da8506093074361776f8b1693a2058fc6775be636034237c8ef7f5a03d422b881a9c8ea047b8d89bc314c649ba0c3bd7a16ac8dcd4c41d788135845bd151e34

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1528-245-0x00000000010C0000-0x00000000015B4000-memory.dmp

Filesize
5.0MB

Download
memory/1700-91-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/1800-169-0x0000000000390000-0x0000000000884000-memory.dmp

Filesize
5.0MB

Download
memory/1804-230-0x00000000001D0000-0x00000000006C4000-memory.dmp

Filesize
5.0MB

Download
memory/2276-90-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2360-184-0x0000000000F90000-0x0000000001484000-memory.dmp

Filesize
5.0MB

Download
memory/2360-185-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2560-200-0x0000000001170000-0x0000000001664000-memory.dmp

Filesize
5.0MB

Download
memory/2632-139-0x0000000000DF0000-0x00000000012E4000-memory.dmp

Filesize
5.0MB

Download
memory/2632-140-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/2704-215-0x0000000000350000-0x0000000000844000-memory.dmp

Filesize
5.0MB

Download
memory/2708-154-0x00000000002F0000-0x00000000007E4000-memory.dmp

Filesize
5.0MB

Download
memory/2916-13-0x0000000000E40000-0x0000000000E4E000-memory.dmp

Filesize
56KB

Download
memory/2916-7-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

Filesize
88KB

Download
memory/2916-11-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

Filesize
40KB

Download
memory/2916-14-0x0000000000E50000-0x0000000000E58000-memory.dmp

Filesize
32KB

Download
memory/2916-10-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

Filesize
72KB

Download
memory/2916-9-0x0000000000C90000-0x0000000000C9A000-memory.dmp

Filesize
40KB

Download
memory/2916-8-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/2916-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/2916-135-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/2916-12-0x0000000000E30000-0x0000000000E3E000-memory.dmp

Filesize
56KB

Download
memory/2916-15-0x0000000000E60000-0x0000000000E68000-memory.dmp

Filesize
32KB

Download
memory/2916-4-0x00000000005A0000-0x00000000005BC000-memory.dmp

Filesize
112KB

Download
memory/2916-16-0x0000000000E70000-0x0000000000E7C000-memory.dmp

Filesize
48KB

Download
memory/2916-6-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/2916-5-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

Filesize
32KB

Download
memory/2916-3-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/2916-2-0x000000001B640000-0x000000001B76E000-memory.dmp

Filesize
1.2MB

Download
memory/2916-1-0x0000000001280000-0x0000000001774000-memory.dmp

Filesize
5.0MB

Download