dcrat | 9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Size

1.5MB
MD5

04c9152dc94eab52c92ddf3133f3ac7b
SHA1

59be48b0636b28831dc5436e0fb75c27d3384cd6
SHA256

9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1
SHA512

6a8c302eb67a44a32dcc2461b64ab3193b65b8570d5f0b998b8924899943a9227fe45b71d5dc16f50674f9cff94cb477159d95670340f12f7eca8c71be8e3560
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRo:EzhWhCXQFN+0IEuQgyiVKw

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		988	schtasks.exe
File created	C:\Windows\System32\shadow\886983d96e3d3e		9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
		2588	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
		2948	schtasks.exe
		2208	schtasks.exe
		692	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\shadow\\csrss.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\shadow\\csrss.exe\", \"C:\\Windows\\ehome\\es-ES\\csrss.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\shadow\\csrss.exe\", \"C:\\Windows\\ehome\\es-ES\\csrss.exe\", \"C:\\ProgramData\\Start Menu\\lsm.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\shadow\\csrss.exe\", \"C:\\Windows\\ehome\\es-ES\\csrss.exe\", \"C:\\ProgramData\\Start Menu\\lsm.exe\", \"C:\\Windows\\System32\\mshtmler\\wininit.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\shadow\\csrss.exe\", \"C:\\Windows\\ehome\\es-ES\\csrss.exe\", \"C:\\ProgramData\\Start Menu\\lsm.exe\", \"C:\\Windows\\System32\\mshtmler\\wininit.exe\", \"C:\\Windows\\System32\\ssText3d\\smss.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2524	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1700	powershell.exe
1724	powershell.exe
1792	powershell.exe
1192	powershell.exe
1624	powershell.exe
1952	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe

Executes dropped EXE 10 IoCs

pid	Process
2176	wininit.exe
2080	wininit.exe
536	wininit.exe
540	wininit.exe
1088	wininit.exe
1068	wininit.exe
1556	wininit.exe
2684	wininit.exe
1916	wininit.exe
3032	wininit.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\ehome\\es-ES\\csrss.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\ProgramData\\Start Menu\\lsm.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\mshtmler\\wininit.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\ssText3d\\smss.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\shadow\\csrss.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\shadow\\csrss.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\mshtmler\\wininit.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\ssText3d\\smss.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\ehome\\es-ES\\csrss.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\ProgramData\\Start Menu\\lsm.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\mshtmler\RCX5C09.tmp	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File opened for modification	C:\Windows\System32\ssText3d\smss.exe	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File opened for modification	C:\Windows\System32\shadow\csrss.exe	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File created	C:\Windows\System32\shadow\886983d96e3d3e	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File created	C:\Windows\System32\ssText3d\69ddcba757bf72	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File created	C:\Windows\System32\ssText3d\smss.exe	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File opened for modification	C:\Windows\System32\shadow\RCX55FD.tmp	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File opened for modification	C:\Windows\System32\mshtmler\wininit.exe	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File opened for modification	C:\Windows\System32\ssText3d\RCX5E7A.tmp	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File created	C:\Windows\System32\shadow\csrss.exe	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File created	C:\Windows\System32\mshtmler\wininit.exe	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File created	C:\Windows\System32\mshtmler\56085415360792	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Boot\dwm.exe	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File created	C:\Windows\ehome\es-ES\csrss.exe	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File created	C:\Windows\ehome\es-ES\886983d96e3d3e	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File opened for modification	C:\Windows\ehome\es-ES\RCX5801.tmp	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File opened for modification	C:\Windows\ehome\es-ES\csrss.exe	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2208	schtasks.exe
692	schtasks.exe
988	schtasks.exe
2588	schtasks.exe
2948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
1700	powershell.exe
1192	powershell.exe
1952	powershell.exe
1724	powershell.exe
1792	powershell.exe
1624	powershell.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2176	wininit.exe
2080	wininit.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2176	wininit.exe
Token: SeDebugPrivilege	2080	wininit.exe
Token: SeDebugPrivilege	536	wininit.exe
Token: SeDebugPrivilege	540	wininit.exe
Token: SeDebugPrivilege	1088	wininit.exe
Token: SeDebugPrivilege	1068	wininit.exe
Token: SeDebugPrivilege	1556	wininit.exe
Token: SeDebugPrivilege	2684	wininit.exe
Token: SeDebugPrivilege	1916	wininit.exe
Token: SeDebugPrivilege	3032	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 1792	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	36
PID 3032 wrote to memory of 1792	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	36
PID 3032 wrote to memory of 1792	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	36
PID 3032 wrote to memory of 1192	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	37
PID 3032 wrote to memory of 1192	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	37
PID 3032 wrote to memory of 1192	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	37
PID 3032 wrote to memory of 1624	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	38
PID 3032 wrote to memory of 1624	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	38
PID 3032 wrote to memory of 1624	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	38
PID 3032 wrote to memory of 1952	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	39
PID 3032 wrote to memory of 1952	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	39
PID 3032 wrote to memory of 1952	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	39
PID 3032 wrote to memory of 1700	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	40
PID 3032 wrote to memory of 1700	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	40
PID 3032 wrote to memory of 1700	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	40
PID 3032 wrote to memory of 1724	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	41
PID 3032 wrote to memory of 1724	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	41
PID 3032 wrote to memory of 1724	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	41
PID 3032 wrote to memory of 2176	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	48
PID 3032 wrote to memory of 2176	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	48
PID 3032 wrote to memory of 2176	3032	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	48
PID 2176 wrote to memory of 928	2176	wininit.exe	49
PID 2176 wrote to memory of 928	2176	wininit.exe	49
PID 2176 wrote to memory of 928	2176	wininit.exe	49
PID 2176 wrote to memory of 2016	2176	wininit.exe	50
PID 2176 wrote to memory of 2016	2176	wininit.exe	50
PID 2176 wrote to memory of 2016	2176	wininit.exe	50
PID 928 wrote to memory of 2080	928	WScript.exe	51
PID 928 wrote to memory of 2080	928	WScript.exe	51
PID 928 wrote to memory of 2080	928	WScript.exe	51
PID 2080 wrote to memory of 2652	2080	wininit.exe	52
PID 2080 wrote to memory of 2652	2080	wininit.exe	52
PID 2080 wrote to memory of 2652	2080	wininit.exe	52
PID 2080 wrote to memory of 2612	2080	wininit.exe	53
PID 2080 wrote to memory of 2612	2080	wininit.exe	53
PID 2080 wrote to memory of 2612	2080	wininit.exe	53
PID 2652 wrote to memory of 536	2652	WScript.exe	54
PID 2652 wrote to memory of 536	2652	WScript.exe	54
PID 2652 wrote to memory of 536	2652	WScript.exe	54
PID 536 wrote to memory of 1812	536	wininit.exe	55
PID 536 wrote to memory of 1812	536	wininit.exe	55
PID 536 wrote to memory of 1812	536	wininit.exe	55
PID 536 wrote to memory of 2824	536	wininit.exe	56
PID 536 wrote to memory of 2824	536	wininit.exe	56
PID 536 wrote to memory of 2824	536	wininit.exe	56
PID 1812 wrote to memory of 540	1812	WScript.exe	58
PID 1812 wrote to memory of 540	1812	WScript.exe	58
PID 1812 wrote to memory of 540	1812	WScript.exe	58
PID 540 wrote to memory of 2328	540	wininit.exe	59
PID 540 wrote to memory of 2328	540	wininit.exe	59
PID 540 wrote to memory of 2328	540	wininit.exe	59
PID 540 wrote to memory of 2464	540	wininit.exe	60
PID 540 wrote to memory of 2464	540	wininit.exe	60
PID 540 wrote to memory of 2464	540	wininit.exe	60
PID 2328 wrote to memory of 1088	2328	WScript.exe	61
PID 2328 wrote to memory of 1088	2328	WScript.exe	61
PID 2328 wrote to memory of 1088	2328	WScript.exe	61
PID 1088 wrote to memory of 1056	1088	wininit.exe	62
PID 1088 wrote to memory of 1056	1088	wininit.exe	62
PID 1088 wrote to memory of 1056	1088	wininit.exe	62
PID 1088 wrote to memory of 2008	1088	wininit.exe	63
PID 1088 wrote to memory of 2008	1088	wininit.exe	63
PID 1088 wrote to memory of 2008	1088	wininit.exe	63
PID 1056 wrote to memory of 1068	1056	WScript.exe	64

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
"C:\Users\Admin\AppData\Local\Temp\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\shadow\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\es-ES\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Start Menu\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mshtmler\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ssText3d\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\mshtmler\wininit.exe
  "C:\Windows\System32\mshtmler\wininit.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2176
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3720716-de0c-4690-8df4-cc76d0586021.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Windows\System32\mshtmler\wininit.exe
      C:\Windows\System32\mshtmler\wininit.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2080
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f946416-5efc-443c-a383-b8821bdd8376.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\System32\mshtmler\wininit.exe
        
        C:\Windows\System32\mshtmler\wininit.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c45c3dc9-2468-407f-ab19-fc053c2114a5.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\System32\mshtmler\wininit.exe
        
        C:\Windows\System32\mshtmler\wininit.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fbb2bfc-06e4-4cd7-a6c1-0422bf9fc238.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\System32\mshtmler\wininit.exe
        
        C:\Windows\System32\mshtmler\wininit.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\effbbf24-b075-40f4-904b-5ae4039a0b5d.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\System32\mshtmler\wininit.exe
        
        C:\Windows\System32\mshtmler\wininit.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb51e023-5e02-4a7a-bb97-4b6fd944c638.vbs"
        13⤵
        
        PID:568
        
        C:\Windows\System32\mshtmler\wininit.exe
        
        C:\Windows\System32\mshtmler\wininit.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e5f89e7-bbbc-4ae4-9f34-7d3ac7df82c2.vbs"
        15⤵
        
        PID:1844
        
        C:\Windows\System32\mshtmler\wininit.exe
        
        C:\Windows\System32\mshtmler\wininit.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d86cb034-b680-4e77-883b-906711a0f27f.vbs"
        17⤵
        
        PID:2660
        
        C:\Windows\System32\mshtmler\wininit.exe
        
        C:\Windows\System32\mshtmler\wininit.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05120d90-32e7-4b96-8f22-e849df2b06e7.vbs"
        19⤵
        
        PID:1832
        
        C:\Windows\System32\mshtmler\wininit.exe
        
        C:\Windows\System32\mshtmler\wininit.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6a164e0-dca4-4518-8194-633c71cde61f.vbs"
        21⤵
        
        PID:2692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0300c9bd-227f-4aa6-b10c-b41c89bbeccc.vbs"
        21⤵
        
        PID:2220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7144bd45-5899-497d-9252-cb828a29662c.vbs"
        19⤵
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\917fa5f4-084a-4219-84e4-73b025d10a07.vbs"
        17⤵
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bd6c5a2-f508-4827-8549-1c956a9815f0.vbs"
        15⤵
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6f6412e-6b03-4c32-b371-871df659e1fc.vbs"
        13⤵
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3d1cd15-75a4-4301-9cc4-cde7435eb282.vbs"
        11⤵
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f29ee4d0-8306-4d6d-b3f3-4bab78ab5af4.vbs"
        9⤵
        
        PID:2464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3dc1107-3456-43e0-988a-f0e3296f46f9.vbs"
        7⤵
        
        PID:2824
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62ea4a92-c1d0-4375-925c-9c84c28bda4d.vbs"
        5⤵
        
        PID:2612
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c5cef13-29a0-4097-b5df-b15005a98074.vbs"
    3⤵
    PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\shadow\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ehome\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\mshtmler\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\ssText3d\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\05120d90-32e7-4b96-8f22-e849df2b06e7.vbs

Filesize
716B

MD5
14f59b7b6cccba9413b03befbc27626b

SHA1
07f7ab1737b772e406a14ec56d8610151b56b64e

SHA256
bef6ce01096fd437e282b3a994b3fff5b925db91ebe3dd002b8237fb0ffc56dd

SHA512
207c2ccdcdbbf7ac71d7bfdee79141e010aee9f079de0621644abacb1ffb446d11918e8d026d9174673c0ad456a41d233ae6bac32fd02765be04f07e79107580

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fbb2bfc-06e4-4cd7-a6c1-0422bf9fc238.vbs

Filesize
715B

MD5
a8e178c45ad650308a9a2ad525474a7b

SHA1
7b27970ce83133294536b49e952172b17ba9a12e

SHA256
2c63b15a45a59b54c76f90a9a9b6f542575971744a6b2c818fb55025e4147298

SHA512
10fec15ade34457fcabc365ee218cc8a50505b7710cba17ca9cd04392177e77730e684aee7b851b0bc95d6d423e9978c623277b6abc58821ce4fcd179c7663f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c5cef13-29a0-4097-b5df-b15005a98074.vbs

Filesize
492B

MD5
99f696b75654dfea5af50b2da600b85b

SHA1
f12e45e3f39b11fa26e64d73227cc7fd4f049150

SHA256
16e31dfaf2c1006c79a399988f791941fa3799d1467dc251f2dec355462a1095

SHA512
27979a74924ff4fb2b85759f5e36e4114f07b84871ab69cec1a4d099f8b1f707579c92029c9bf474ad8bb10a5f6973d360feb6eeb30d4e310eb7d00fd45946d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e5f89e7-bbbc-4ae4-9f34-7d3ac7df82c2.vbs

Filesize
716B

MD5
674932a2a90bbbf418c35bef7fec063e

SHA1
0ccba4461364ec348161204dbbf980180cba0d32

SHA256
b5c1936a828706d7a2c3e7f28bc4c009324bafc899ecc62fff330e7c36247cfd

SHA512
33c9ae9de6b4c37b4e6da01e9665d85924ba5b1e0edb30e2a3c158e3d918ac6b4bf6ed06412968cccbe3cfc87552255cf6e33ddd26634480429122a6fdcf3682

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f946416-5efc-443c-a383-b8821bdd8376.vbs

Filesize
716B

MD5
95642f384aded008fda1c526be80438c

SHA1
d84349104086592858c2bdb5910a8e7f74099c38

SHA256
1fa2ccdec51883cea5ffe85d137480afcc6aa3c83981c11561b20a6681a36513

SHA512
8e9da2012c2e45e08761fd3204a2015276b6a1f21798743b07ee26559c059b624016531f9d31c7ef705d9bea7e30e4e785caa62eab0f50f8e21534698d173f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3720716-de0c-4690-8df4-cc76d0586021.vbs

Filesize
716B

MD5
56bf50aaec383f4f56926f03d9241247

SHA1
16062cd471348406462d42a920812946f29bcdd3

SHA256
0e874004c80215edbd29cc183b38709d001b86e8565421de6fa0a6a0f107ff69

SHA512
a67b5defdeec045187475057f14beb0353a43d44bb00f988fd408224b9d5096e1ecde0da16417e9bcbf5e1f4a05630b912db53343b6ddd48f6b864add9dfb973

Download Submit
C:\Users\Admin\AppData\Local\Temp\c45c3dc9-2468-407f-ab19-fc053c2114a5.vbs

Filesize
715B

MD5
86a66ec941b78bf9ca2758217c81a327

SHA1
6c89167c6fa172dc006c24d205d262eefc4d6876

SHA256
d2663ad7591ec5017f2553c203c56920db8de21b4b7b04cb1153c4454a457a58

SHA512
53ddfc364fe6d4773c46704339d7b64c5e9174f00edb626672de25cc4d016d22069d56a9df3977617476c93647cb7f9f9f12abe9d864a699ba0ca2d56669a891

Download Submit
C:\Users\Admin\AppData\Local\Temp\d86cb034-b680-4e77-883b-906711a0f27f.vbs

Filesize
716B

MD5
2138c9826f33a1c3e98b94bd88e2956d

SHA1
4d41ee258a1eaf10ea8fe9219287f1f1e9c68435

SHA256
32c21d96c3f910ed144fb6567726871db607f7c9b7f3bcc26d68c6102bfdb391

SHA512
1c026d02c2f64a7d2d14cd6daef13c8976372423e51e2243559269afeef61a96fab3a883666f9ef33a9301c2e3c41f21b401c3ad47a566ab1f4cdf3f0a96a8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6a164e0-dca4-4518-8194-633c71cde61f.vbs

Filesize
716B

MD5
01197637f91dd002ec93b31485f2fbef

SHA1
f9db3c9ab5cf6b39785beb7bcc45b9b4cabc008d

SHA256
accf10ffbab72fc6039fd923ebfeb9c25e4670a97290661e9bb127ca7d8bc555

SHA512
69e7af12816ca8c9edec1264395f896c11c75a8c06e3032e56216151bad4165c9033af5a542728749bb74b63d0e690d9c95f3d275745c39e67648382b19dae2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\effbbf24-b075-40f4-904b-5ae4039a0b5d.vbs

Filesize
716B

MD5
0180d8df8a272297c9b33284d31fcbcf

SHA1
c2512e040e607fe6c6b8b771c521eacdda3b171c

SHA256
502fbf79f4aed3b5065c9fb4f812b9c85cd641d04210d4c735e2cf53e6c3daa4

SHA512
71cd7a0265f2dbc045d5434b1641023e00cccff1160f290316de3e6c4383bc343fd04177dca6c3e697b20de4c5a567ef1826759fe633a5e4487b8d0bfb9322eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb51e023-5e02-4a7a-bb97-4b6fd944c638.vbs

Filesize
716B

MD5
d4f6926509e0b01d539994832fc9a167

SHA1
e09f91c14496a9493888192b809b08cef571a6e4

SHA256
aa574edf8d89c95c9e078815f66ce129ae9838d51040dd1a1263f01149b51d3a

SHA512
c8c6f7efd3a6d2af1f15eb5b08d7702db0dc4d54eaa0653fd2789c6775cb82e7f08cd9c98372a75c76cb777deb78dcd8acd4956fc487241578da4bf10bc1cf4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d4367a3876761edce22be245625e148e

SHA1
d22e4b335925c725d2909a766f8677e3e04409aa

SHA256
8850300f5c9838870ccc74aa689e97f06c0108f5d92462dafc8dbe429da03ae3

SHA512
32d8917beb053153263152e6918031c41bff8aad02dc8c0e2970a6ce026a8d1a87e480e543eed5d9c0c88699537510ad594d3f74a4b108eac006a1298c4d3beb

Download Submit
C:\Windows\System32\mshtmler\wininit.exe

Filesize
1.5MB

MD5
391e3c2608389d2e886b3ede1c083164

SHA1
777fd7f1f9e7a140a1692f380e01ebf1137beabe

SHA256
c7725717e508cc03a56ef644762692d2691fb93e8efb66bd05a598224721b559

SHA512
25f8931a3ae18936fc37e50aa372b8713dc45cae41d0ec38e9eccd100d9e3c8e5fe0f2fcc9dcfaed1c48e06f2e316d2b3f851b176c4233d81f1fa86999fcaebf

Download Submit
C:\Windows\System32\ssText3d\smss.exe

Filesize
1.5MB

MD5
04c9152dc94eab52c92ddf3133f3ac7b

SHA1
59be48b0636b28831dc5436e0fb75c27d3384cd6

SHA256
9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1

SHA512
6a8c302eb67a44a32dcc2461b64ab3193b65b8570d5f0b998b8924899943a9227fe45b71d5dc16f50674f9cff94cb477159d95670340f12f7eca8c71be8e3560

Download Submit
memory/540-144-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1088-156-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/1556-179-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1700-105-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/1700-81-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2080-121-0x0000000000F30000-0x00000000010AE000-memory.dmp

Filesize
1.5MB

Download
memory/2176-85-0x0000000000B00000-0x0000000000C7E000-memory.dmp

Filesize
1.5MB

Download
memory/2684-191-0x0000000001220000-0x000000000139E000-memory.dmp

Filesize
1.5MB

Download
memory/3032-11-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/3032-18-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/3032-13-0x00000000022A0000-0x00000000022AA000-memory.dmp

Filesize
40KB

Download
memory/3032-82-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

Filesize
4KB

Download
memory/3032-24-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-12-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/3032-21-0x000000001ADC0000-0x000000001ADC8000-memory.dmp

Filesize
32KB

Download
memory/3032-14-0x00000000022B0000-0x00000000022BC000-memory.dmp

Filesize
48KB

Download
memory/3032-10-0x0000000002170000-0x0000000002180000-memory.dmp

Filesize
64KB

Download
memory/3032-20-0x0000000002380000-0x000000000238C000-memory.dmp

Filesize
48KB

Download
memory/3032-9-0x0000000002160000-0x000000000216C000-memory.dmp

Filesize
48KB

Download
memory/3032-8-0x0000000002150000-0x0000000002158000-memory.dmp

Filesize
32KB

Download
memory/3032-43-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-7-0x0000000002140000-0x000000000214C000-memory.dmp

Filesize
48KB

Download
memory/3032-17-0x00000000022E0000-0x00000000022EC000-memory.dmp

Filesize
48KB

Download
memory/3032-6-0x00000000020A0000-0x00000000020AA000-memory.dmp

Filesize
40KB

Download
memory/3032-5-0x0000000002130000-0x000000000213C000-memory.dmp

Filesize
48KB

Download
memory/3032-16-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/3032-4-0x0000000002090000-0x00000000020A2000-memory.dmp

Filesize
72KB

Download
memory/3032-15-0x00000000022C0000-0x00000000022CA000-memory.dmp

Filesize
40KB

Download
memory/3032-3-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/3032-2-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-214-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/3032-1-0x0000000000020000-0x000000000019E000-memory.dmp

Filesize
1.5MB

Download