dcrat | 42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986

Analysis

max time kernel
116s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/11/2024, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Size

4.9MB
MD5

c4f491ec0a2f5bafc5d099a48035fe40
SHA1

b43d26d51afced257db87d8b712182f677fc1c34
SHA256

42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986
SHA512

09c65c27e810a797ab6e5630b099b912965a513a74ec285093b41c5796a9a7c574c9cf0896501c1e1787f52c771d07ae185a47a67160029df206366a227319dc
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	1792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	1792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	1792	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1780-3-0x000000001BC00000-0x000000001BD2E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2812	powershell.exe
332	powershell.exe
796	powershell.exe
728	powershell.exe
304	powershell.exe
1092	powershell.exe
1828	powershell.exe
2908	powershell.exe
976	powershell.exe
296	powershell.exe
708	powershell.exe
1924	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1684	Idle.exe
1476	Idle.exe
2188	Idle.exe
1568	Idle.exe
796	Idle.exe
2944	Idle.exe
2068	Idle.exe
2448	Idle.exe
1964	Idle.exe
308	Idle.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\schemas\AvailableNetwork\sppsvc.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\sppsvc.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Windows\schemas\AvailableNetwork\0a1fd5f707cd16	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\RCXA5D2.tmp	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2992	schtasks.exe
1808	schtasks.exe
2604	schtasks.exe
2856	schtasks.exe
2860	schtasks.exe
2508	schtasks.exe
2772	schtasks.exe
2804	schtasks.exe
2876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
1924	powershell.exe
332	powershell.exe
2908	powershell.exe
2812	powershell.exe
708	powershell.exe
728	powershell.exe
304	powershell.exe
1828	powershell.exe
296	powershell.exe
976	powershell.exe
796	powershell.exe
1092	powershell.exe
1684	Idle.exe
1476	Idle.exe
2188	Idle.exe
1568	Idle.exe
796	Idle.exe
2944	Idle.exe
2068	Idle.exe
2448	Idle.exe
1964	Idle.exe
308	Idle.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	1684	Idle.exe
Token: SeDebugPrivilege	1476	Idle.exe
Token: SeDebugPrivilege	2188	Idle.exe
Token: SeDebugPrivilege	1568	Idle.exe
Token: SeDebugPrivilege	796	Idle.exe
Token: SeDebugPrivilege	2944	Idle.exe
Token: SeDebugPrivilege	2068	Idle.exe
Token: SeDebugPrivilege	2448	Idle.exe
Token: SeDebugPrivilege	1964	Idle.exe
Token: SeDebugPrivilege	308	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1092	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	40
PID 1780 wrote to memory of 1092	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	40
PID 1780 wrote to memory of 1092	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	40
PID 1780 wrote to memory of 296	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	41
PID 1780 wrote to memory of 296	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	41
PID 1780 wrote to memory of 296	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	41
PID 1780 wrote to memory of 1828	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	42
PID 1780 wrote to memory of 1828	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	42
PID 1780 wrote to memory of 1828	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	42
PID 1780 wrote to memory of 2908	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	43
PID 1780 wrote to memory of 2908	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	43
PID 1780 wrote to memory of 2908	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	43
PID 1780 wrote to memory of 708	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	44
PID 1780 wrote to memory of 708	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	44
PID 1780 wrote to memory of 708	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	44
PID 1780 wrote to memory of 1924	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	45
PID 1780 wrote to memory of 1924	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	45
PID 1780 wrote to memory of 1924	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	45
PID 1780 wrote to memory of 2812	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	46
PID 1780 wrote to memory of 2812	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	46
PID 1780 wrote to memory of 2812	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	46
PID 1780 wrote to memory of 332	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	47
PID 1780 wrote to memory of 332	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	47
PID 1780 wrote to memory of 332	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	47
PID 1780 wrote to memory of 796	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	48
PID 1780 wrote to memory of 796	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	48
PID 1780 wrote to memory of 796	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	48
PID 1780 wrote to memory of 728	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	49
PID 1780 wrote to memory of 728	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	49
PID 1780 wrote to memory of 728	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	49
PID 1780 wrote to memory of 976	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	50
PID 1780 wrote to memory of 976	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	50
PID 1780 wrote to memory of 976	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	50
PID 1780 wrote to memory of 304	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	51
PID 1780 wrote to memory of 304	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	51
PID 1780 wrote to memory of 304	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	51
PID 1780 wrote to memory of 2044	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	64
PID 1780 wrote to memory of 2044	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	64
PID 1780 wrote to memory of 2044	1780	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	64
PID 2044 wrote to memory of 1672	2044	cmd.exe	66
PID 2044 wrote to memory of 1672	2044	cmd.exe	66
PID 2044 wrote to memory of 1672	2044	cmd.exe	66
PID 2044 wrote to memory of 1684	2044	cmd.exe	67
PID 2044 wrote to memory of 1684	2044	cmd.exe	67
PID 2044 wrote to memory of 1684	2044	cmd.exe	67
PID 1684 wrote to memory of 2612	1684	Idle.exe	69
PID 1684 wrote to memory of 2612	1684	Idle.exe	69
PID 1684 wrote to memory of 2612	1684	Idle.exe	69
PID 1684 wrote to memory of 1800	1684	Idle.exe	70
PID 1684 wrote to memory of 1800	1684	Idle.exe	70
PID 1684 wrote to memory of 1800	1684	Idle.exe	70
PID 2612 wrote to memory of 1476	2612	WScript.exe	71
PID 2612 wrote to memory of 1476	2612	WScript.exe	71
PID 2612 wrote to memory of 1476	2612	WScript.exe	71
PID 1476 wrote to memory of 2588	1476	Idle.exe	72
PID 1476 wrote to memory of 2588	1476	Idle.exe	72
PID 1476 wrote to memory of 2588	1476	Idle.exe	72
PID 1476 wrote to memory of 1372	1476	Idle.exe	73
PID 1476 wrote to memory of 1372	1476	Idle.exe	73
PID 1476 wrote to memory of 1372	1476	Idle.exe	73
PID 2588 wrote to memory of 2188	2588	WScript.exe	74
PID 2588 wrote to memory of 2188	2588	WScript.exe	74
PID 2588 wrote to memory of 2188	2588	WScript.exe	74
PID 2188 wrote to memory of 1284	2188	Idle.exe	75

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
"C:\Users\Admin\AppData\Local\Temp\42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HsYXLdrTEU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1672
- - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
    "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1684
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85cc7941-4b5e-43de-9253-f2fb7127abe6.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1476
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d75f3a3-fc10-48d8-86ca-4cff89c5faf7.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d26c9d25-ceb0-4036-9998-bce8c8229d30.vbs"
        8⤵
        
        PID:1284
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db0659b3-e73b-4d9a-9675-444e547a9f93.vbs"
        10⤵
        
        PID:1328
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed5b41e0-32c2-422b-97b0-ce45543be4e3.vbs"
        12⤵
        
        PID:2844
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0802953d-b5c2-4b8e-acc6-227ffa03b802.vbs"
        14⤵
        
        PID:1652
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bde9bfce-fa1e-433d-be39-b40dbd00168a.vbs"
        16⤵
        
        PID:1348
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4938e58-b6ca-4719-9847-7fae232d4a98.vbs"
        18⤵
        
        PID:1576
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fbbc90e-b6fb-489a-84b4-58786a08a965.vbs"
        20⤵
        
        PID:2728
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97c06bb8-1859-4162-bfcb-bf2d468c234c.vbs"
        22⤵
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f34a9adf-d1e0-45df-9ace-5a1a10eeaaec.vbs"
        22⤵
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cce11e8-e76a-48a0-89c7-774bcbb9ad22.vbs"
        20⤵
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\748b0f4b-92e2-49d9-a0f7-5ac6a2dde128.vbs"
        18⤵
        
        PID:1112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d5edaba-2414-4cbe-b712-e4e3d6f18118.vbs"
        16⤵
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13cb95dc-9ba1-46ed-8997-d8e86ad3d4ed.vbs"
        14⤵
        
        PID:2524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1f36b91-2534-4794-81af-47486b219217.vbs"
        12⤵
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ee928bf-ea00-46a2-9ea4-33ea82ae17b1.vbs"
        10⤵
        
        PID:1076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f168887f-4dc6-4387-a7dd-b8c1b6a909c6.vbs"
        8⤵
        
        PID:2480
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a7cdc98-ff7a-49a9-ae91-5bd59d95d4fe.vbs"
        6⤵
        
        PID:1372
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c252f65-11df-45b2-8d78-dd3bf9918a66.vbs"
      4⤵
      PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\schemas\AvailableNetwork\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\schemas\AvailableNetwork\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\schemas\AvailableNetwork\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe

Filesize
4.9MB

MD5
e4d08df8f6c67655738d480cc217384c

SHA1
0f726af71fb0e0a9cf8f610a700f9d580280a5b7

SHA256
48d32ce0feedc11d83f54dd107bfd54327da335fe146babd3fda3768c962bbce

SHA512
499ca5ba9e35bdf6400d9dfa9b1abd4d6c7d00df55ae6f283d100f6f83382645ebd3ed7a33c96b519fcd3734d2cc406641deb6466837ccf4e2b031361407bdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\0802953d-b5c2-4b8e-acc6-227ffa03b802.vbs

Filesize
733B

MD5
cfd8449dec7c487953ee45a9b301dab0

SHA1
df1fbd686854dfed35df2bda7bed5b95ae39e184

SHA256
9ff154be3cdd4cd6056371e14e100f4d790e4de98ecc26e51f41c7531fbc336b

SHA512
57d0cb7c7652f62f3c9dc7c398a7f8b761e1f772f015d5972397bbb75078ff5bb3896e8fb0207471f0229e4ba092d2af2124072975f65ec9dba3e37a63b68d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d75f3a3-fc10-48d8-86ca-4cff89c5faf7.vbs

Filesize
733B

MD5
caf842826286874ab583536f401251c9

SHA1
8d4b1d0b6257000b71bfaa23f0f61ff6c088e3cf

SHA256
b6f83acc6bd2e6f5afa47b66092d767a2de88cedb9ed1ad041912789874578be

SHA512
c84a48917a7795f485ad774e337a31c9a398fe81de1122c74425c8fe7e3b02867e15b70a12abe0550dca71301b0ac284a32e6db92134db2c3545888a061bb580

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fbbc90e-b6fb-489a-84b4-58786a08a965.vbs

Filesize
733B

MD5
800bf7f83b1c5d0e577b9cf05cf55648

SHA1
047a9f5565cfccddff5cbb167db1f86b0c67e2cb

SHA256
e5cfd0767485e2a54b7c1b5c89f91ab909eaefd819542ad2e706651cb3aa067c

SHA512
77bb94f96c9d771442964bb57e9baf6a32a15a134ec47728644b7f34cf67d0b57a18e98a8714771dcbcda359e9a02b50aaa2d9b74c27a88eed52dae8e3732bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c252f65-11df-45b2-8d78-dd3bf9918a66.vbs

Filesize
509B

MD5
49ff6f3781c41de38c027a4d5c04718f

SHA1
f197547837aebe79a7fd48e672366e5e6821aeac

SHA256
0f533973299876bc909a2782444bb00dd2855765c9461a6606265b987f953e77

SHA512
981739d6da3d52fdcf3eab67f2d8d08f2aa3133713bb76a232a815bb7c655aecd387274556d449aedc227c6997eb0410cc5f01ea262d26af54b43cb0b2c18895

Download Submit
C:\Users\Admin\AppData\Local\Temp\85cc7941-4b5e-43de-9253-f2fb7127abe6.vbs

Filesize
733B

MD5
4cb4737f3cd4414affc3702571772d20

SHA1
1fde68dfa3b3420432d616271b637eeb97de0ebe

SHA256
547391d61b8fd7a1fafe7fbf74972c0458e7d7e4e2f0e71e13e6244bf4c6d461

SHA512
0f14a5335a705abe9637d2efa8074a77754503d4030b4891ddf4e40e025a74d7f13b91f9c2a13ae2c884b5d7779962b791ddaa1c02725d05165bdac3ead45e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\97c06bb8-1859-4162-bfcb-bf2d468c234c.vbs

Filesize
732B

MD5
e9ed45aaa2d246aefb8699f09f698b03

SHA1
5a96521b864d551b08bf11c296b2f1787249c1ef

SHA256
d9fcaf997a92f05fa36ebae349449bb00ce300012c467b7586b15e29f5b5fbdb

SHA512
63c5d6c7ab3103fe48939bf985f053aba1e632312d352263a12ffba2f8f007131f96a5febd9b583ac004bef121fddea50215b762dffc4b163d22de1c2d9ccd13

Download Submit
C:\Users\Admin\AppData\Local\Temp\HsYXLdrTEU.bat

Filesize
222B

MD5
0e4585606b036d9cb20a2d58e6d154e9

SHA1
ce46892a726b11ff467b6e4444a37aee783a936e

SHA256
1e771a591da481d0dbbe93686362b09b029f693f4f920cb4d9f9be369d21d59a

SHA512
ffe13fa2d7e9b7c345d271c764faef65b76f8e245f3df9a7c99971328d1fad1f5b6e48a02e01ca0052b615b1461a29027d90358c6f7ad770f9ab3f7da41b3b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4938e58-b6ca-4719-9847-7fae232d4a98.vbs

Filesize
733B

MD5
7eeb40122804ff1245c35e8db4b3ac3d

SHA1
c8ef9e7cb2c3d35d97b64bb68440aa8b4256a402

SHA256
8cc154337817122bf00ee3f746b4b7d30239bd0b2ad8a04f30cd31db8ebe48a9

SHA512
3fbaf079ec6a26a4625b5b0b715e57d598da1b811112d4efadc24a1e3195c7f63a56ecfff9ab227706e38483dedf7e99aebebbbe5fd1495122d33739d1cf8740

Download Submit
C:\Users\Admin\AppData\Local\Temp\bde9bfce-fa1e-433d-be39-b40dbd00168a.vbs

Filesize
733B

MD5
01034d3dc81e4e18c5d1495a8f4438c6

SHA1
26d844203219931bbb4fb8e332c5a84225eef3ec

SHA256
b9af2c2db5558150f6cf4fae8d7f8bd00fe44950c538041c9c84f4e026502c1a

SHA512
5948220afdf025a04d0ea42daf99ed3e0e58cbfea2b6cf2485d7866f842d17796c97af519dca8e1366a7de8683451b0346097157fab1182e9803753a661b94fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d26c9d25-ceb0-4036-9998-bce8c8229d30.vbs

Filesize
733B

MD5
27f8afe9a0a02ac4212ef436a74fbbdc

SHA1
d0abdaeb14f1492bd8e4e42158e75512d4558f80

SHA256
40b35f0b60d0a4a96365b80ad14685b046152108abefd8032837db76a85a47d6

SHA512
c0c9d0fb00aebc5d96b430ae2a403b52876bd9c6d6f3cb2887fd498ad848e6029e8f79d68889ee9844e479c0f133f2a8ea1084ebdcc703a33f7a2dac62579e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\db0659b3-e73b-4d9a-9675-444e547a9f93.vbs

Filesize
733B

MD5
f596c12f099bb00c8194f188dd225928

SHA1
fe38805bb71c549e97940f6b9da198c0aa95a808

SHA256
0205a739c13f69cfc1a16b5c293317a24516d32125c59d4f6e83a444f105898b

SHA512
ee6f90c8826a26fe9ee33b09c03f2859956231d16dda9c34de7f1e1804c378dc14817163e557a652e7b7046eca0aeff82708060dba12e7eeadc2468b6b9a9aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed5b41e0-32c2-422b-97b0-ce45543be4e3.vbs

Filesize
732B

MD5
3f3465ebe2242cca06ae29037a22abfe

SHA1
4a4c59fc828ef69d3595676954a29aa2d9a883e8

SHA256
3cbac89fc675fda385da26385e6406826b8c6f53f7b177f80284c4f38d86d9e8

SHA512
32fd065d4254ec352280221798289490c831caa1a9db547068f53220ac7bc7e1dff8edb44423ba80e00d2098bd0fcf86eabf49fa3c4b19357f783fecdfa15a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD308.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a0770c46b8f26ab84b53ec7a4bdc6d03

SHA1
1cc1fd7221b73aa6e3a30bab1a1661e9c6fd7e37

SHA256
15850674ad353eb59680d1a45b32f1027126ab4427842e5467dfa5e4fc825c13

SHA512
4a08f3d1404bf9f21e2a42d6e0b1d38339a8f8970d4096b92e4eb0d5a428ca4257dc71375293683ee1cc63a548d28dfd9b01e3f413436a5ab32a113770d91d95

Download Submit
C:\Windows\schemas\AvailableNetwork\sppsvc.exe

Filesize
4.9MB

MD5
c4f491ec0a2f5bafc5d099a48035fe40

SHA1
b43d26d51afced257db87d8b712182f677fc1c34

SHA256
42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986

SHA512
09c65c27e810a797ab6e5630b099b912965a513a74ec285093b41c5796a9a7c574c9cf0896501c1e1787f52c771d07ae185a47a67160029df206366a227319dc

Download Submit
memory/308-241-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/308-240-0x00000000002C0000-0x00000000007B4000-memory.dmp

Filesize
5.0MB

Download
memory/708-71-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/796-166-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/1684-107-0x0000000001180000-0x0000000001674000-memory.dmp

Filesize
5.0MB

Download
memory/1684-108-0x0000000000D10000-0x0000000000D22000-memory.dmp

Filesize
72KB

Download
memory/1780-1-0x00000000009D0000-0x0000000000EC4000-memory.dmp

Filesize
5.0MB

Download
memory/1780-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/1780-14-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/1780-53-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/1780-9-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/1780-8-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/1780-15-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/1780-12-0x00000000023E0000-0x00000000023EE000-memory.dmp

Filesize
56KB

Download
memory/1780-11-0x00000000023D0000-0x00000000023DA000-memory.dmp

Filesize
40KB

Download
memory/1780-7-0x0000000000980000-0x0000000000996000-memory.dmp

Filesize
88KB

Download
memory/1780-6-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/1780-10-0x00000000009C0000-0x00000000009D2000-memory.dmp

Filesize
72KB

Download
memory/1780-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/1780-13-0x00000000023F0000-0x00000000023FE000-memory.dmp

Filesize
56KB

Download
memory/1780-5-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/1780-4-0x0000000000530000-0x000000000054C000-memory.dmp

Filesize
112KB

Download
memory/1780-16-0x0000000002420000-0x000000000242C000-memory.dmp

Filesize
48KB

Download
memory/1780-3-0x000000001BC00000-0x000000001BD2E000-memory.dmp

Filesize
1.2MB

Download
memory/1924-72-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/1964-224-0x0000000000CB0000-0x00000000011A4000-memory.dmp

Filesize
5.0MB

Download
memory/1964-225-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2188-136-0x0000000001250000-0x0000000001744000-memory.dmp

Filesize
5.0MB

Download
memory/2188-137-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2448-209-0x0000000000190000-0x0000000000684000-memory.dmp

Filesize
5.0MB

Download