dcrat | 54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ef44e6c54801a42dc9cff0bf0459036.exe
Size

1.8MB
MD5

7ef44e6c54801a42dc9cff0bf0459036
SHA1

45322aee2375b98a8b443e08d5e9f58ac10e9e2d
SHA256

54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab
SHA512

dfdd479a802f308cc1b49886020cf420127dd87be5642d27452c3ee08198b1efbfca8358e62ed91141ed778ce3cef7ff154e0114eae27220ce81d6cd1acb5250
SSDEEP

49152:ZWqKKPZ1snfJ+rqDPuQDLME5MT4rDQNpfh:DKKZ1sRD2Q3N5MT4r

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2848	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3020-1-0x0000000000D50000-0x0000000000F1C000-memory.dmp	dcrat
behavioral1/files/0x0005000000019214-30.dat	dcrat
behavioral1/files/0x000a00000001937b-101.dat	dcrat
behavioral1/files/0x000b000000016c03-112.dat	dcrat
behavioral1/files/0x0007000000019214-123.dat	dcrat
behavioral1/files/0x000600000001945c-165.dat	dcrat
behavioral1/files/0x00070000000195c2-179.dat	dcrat
behavioral1/files/0x00070000000195c6-190.dat	dcrat
behavioral1/memory/2084-313-0x0000000000B10000-0x0000000000CDC000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3052	powershell.exe
992	powershell.exe
868	powershell.exe
2536	powershell.exe
960	powershell.exe
496	powershell.exe
1076	powershell.exe
2032	powershell.exe
1520	powershell.exe
1960	powershell.exe
2000	powershell.exe
1260	powershell.exe
1400	powershell.exe
1628	powershell.exe
2944	powershell.exe
2828	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2084	lsass.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7ef44e6c54801a42dc9cff0bf0459036.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\f3b6ecef712a24	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\spoolsv.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\smss.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX6028.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Program Files\Uninstall Information\886983d96e3d3e	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Program Files (x86)\Windows Portable Devices\smss.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Program Files (x86)\Windows Portable Devices\69ddcba757bf72	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Program Files\Uninstall Information\csrss.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX45AF.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files\Uninstall Information\csrss.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\spoolsv.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\RCX433D.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX45AE.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX6027.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\RCX42FD.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\OSPPSVC.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Windows\Fonts\OSPPSVC.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Windows\Vss\Writers\sppsvc.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Windows\Vss\RCX4CA6.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Windows\Vss\Writers\RCX5E23.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Windows\Vss\Writers\RCX5E22.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Windows\Vss\taskhost.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Windows\Vss\b75386f1303e64	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Windows\twain_32\cc11b995f2a76d	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Windows\Fonts\RCX40E9.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Windows\Vss\RCX4D14.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Windows\Vss\taskhost.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Windows\twain_32\RCX4F37.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Windows\rescache\rc0006\7ef44e6c54801a42dc9cff0bf0459036.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Windows\twain_32\winlogon.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Windows\Vss\Writers\sppsvc.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Windows\Fonts\1610b97d3ab4a7	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Windows\twain_32\winlogon.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Windows\Vss\Writers\0a1fd5f707cd16	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Windows\Fonts\RCX40EA.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Windows\twain_32\RCX4F38.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1796	schtasks.exe
1028	schtasks.exe
1932	schtasks.exe
2204	schtasks.exe
1280	schtasks.exe
1440	schtasks.exe
2480	schtasks.exe
112	schtasks.exe
2428	schtasks.exe
2436	schtasks.exe
2016	schtasks.exe
2532	schtasks.exe
1684	schtasks.exe
3028	schtasks.exe
2492	schtasks.exe
2876	schtasks.exe
1864	schtasks.exe
2024	schtasks.exe
2580	schtasks.exe
1268	schtasks.exe
2192	schtasks.exe
2628	schtasks.exe
1632	schtasks.exe
2352	schtasks.exe
1696	schtasks.exe
908	schtasks.exe
2444	schtasks.exe
2908	schtasks.exe
2036	schtasks.exe
1732	schtasks.exe
1104	schtasks.exe
292	schtasks.exe
320	schtasks.exe
760	schtasks.exe
408	schtasks.exe
1820	schtasks.exe
712	schtasks.exe
2112	schtasks.exe
2168	schtasks.exe
3060	schtasks.exe
2948	schtasks.exe
1356	schtasks.exe
2584	schtasks.exe
3000	schtasks.exe
2212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
2000	powershell.exe
1628	powershell.exe
2828	powershell.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
3020	7ef44e6c54801a42dc9cff0bf0459036.exe
2536	powershell.exe
1400	powershell.exe
2944	powershell.exe
496	powershell.exe
3052	powershell.exe
1520	powershell.exe
2032	powershell.exe
868	powershell.exe
992	powershell.exe
960	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2084	lsass.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	7ef44e6c54801a42dc9cff0bf0459036.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	496	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	2084	lsass.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeBackupPrivilege	2624	vssvc.exe
Token: SeRestorePrivilege	2624	vssvc.exe
Token: SeAuditPrivilege	2624	vssvc.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 960	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	76
PID 3020 wrote to memory of 960	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	76
PID 3020 wrote to memory of 960	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	76
PID 3020 wrote to memory of 1960	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	77
PID 3020 wrote to memory of 1960	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	77
PID 3020 wrote to memory of 1960	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	77
PID 3020 wrote to memory of 2536	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	78
PID 3020 wrote to memory of 2536	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	78
PID 3020 wrote to memory of 2536	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	78
PID 3020 wrote to memory of 496	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	79
PID 3020 wrote to memory of 496	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	79
PID 3020 wrote to memory of 496	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	79
PID 3020 wrote to memory of 1520	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	81
PID 3020 wrote to memory of 1520	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	81
PID 3020 wrote to memory of 1520	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	81
PID 3020 wrote to memory of 2828	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	82
PID 3020 wrote to memory of 2828	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	82
PID 3020 wrote to memory of 2828	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	82
PID 3020 wrote to memory of 1260	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	83
PID 3020 wrote to memory of 1260	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	83
PID 3020 wrote to memory of 1260	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	83
PID 3020 wrote to memory of 2000	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	85
PID 3020 wrote to memory of 2000	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	85
PID 3020 wrote to memory of 2000	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	85
PID 3020 wrote to memory of 868	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	86
PID 3020 wrote to memory of 868	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	86
PID 3020 wrote to memory of 868	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	86
PID 3020 wrote to memory of 1628	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	87
PID 3020 wrote to memory of 1628	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	87
PID 3020 wrote to memory of 1628	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	87
PID 3020 wrote to memory of 2944	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	88
PID 3020 wrote to memory of 2944	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	88
PID 3020 wrote to memory of 2944	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	88
PID 3020 wrote to memory of 2032	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	90
PID 3020 wrote to memory of 2032	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	90
PID 3020 wrote to memory of 2032	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	90
PID 3020 wrote to memory of 992	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	91
PID 3020 wrote to memory of 992	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	91
PID 3020 wrote to memory of 992	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	91
PID 3020 wrote to memory of 1400	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	92
PID 3020 wrote to memory of 1400	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	92
PID 3020 wrote to memory of 1400	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	92
PID 3020 wrote to memory of 1076	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	94
PID 3020 wrote to memory of 1076	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	94
PID 3020 wrote to memory of 1076	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	94
PID 3020 wrote to memory of 3052	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	95
PID 3020 wrote to memory of 3052	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	95
PID 3020 wrote to memory of 3052	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	95
PID 3020 wrote to memory of 2084	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	108
PID 3020 wrote to memory of 2084	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	108
PID 3020 wrote to memory of 2084	3020	7ef44e6c54801a42dc9cff0bf0459036.exe	108
PID 2084 wrote to memory of 2540	2084	lsass.exe	109
PID 2084 wrote to memory of 2540	2084	lsass.exe	109
PID 2084 wrote to memory of 2540	2084	lsass.exe	109
PID 2084 wrote to memory of 820	2084	lsass.exe	110
PID 2084 wrote to memory of 820	2084	lsass.exe	110
PID 2084 wrote to memory of 820	2084	lsass.exe	110

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7ef44e6c54801a42dc9cff0bf0459036.exe
"C:\Users\Admin\AppData\Local\Temp\7ef44e6c54801a42dc9cff0bf0459036.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7ef44e6c54801a42dc9cff0bf0459036.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\es-ES\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe
  "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2084
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7186d53a-7478-4722-ad76-986ed941cfec.vbs"
    3⤵
    PID:2540
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab9cb1c9-1987-447e-adde-b4a2c31f2b29.vbs"
    3⤵
    PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Fonts\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\NetHood\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\NetHood\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Vss\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\twain_32\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\Writers\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe

Filesize
1.8MB

MD5
b9f5bbee3b5c9b30d33f9711348a3fce

SHA1
4295971d58495c5c723a1845411d885b9735126e

SHA256
74902e1ed00b979a46f5805160d8f0f88e980a54de061d2298124749deaadff7

SHA512
d819ab7cb74ab733ba7ba0c81d888b5ac6eebc0d9922ecfcfef09a6bbb4fe8c0cf7c70e8a678ae20a6d48bdd081f91f0b4e2cfae8f2c2030a67f2cfbb321c6a6

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\lsass.exe

Filesize
1.8MB

MD5
2085a336536dc39b0c7d435c262b5cb4

SHA1
3d7bc5c94bb3c0304688f0e32534729bae69b556

SHA256
e75adcf82469c13bea2a3123c89ec7246c05b791c858eecc3a8a2cfa3d6208e6

SHA512
41c34805ae47cd5d8a34c5002e8879c7f5389f8c851cb540974c26bb891a8ae69bf1d4ee4822ba3de34a7e0cf2e4e3d1038d17f67ef65ffbd7a1bcbee319f0c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7186d53a-7478-4722-ad76-986ed941cfec.vbs

Filesize
748B

MD5
338970a84cd8c6d779fd816446c33f97

SHA1
99891cdcce02685c485dacc0c8393dbcb0f6b034

SHA256
08a6b47d7ffaf40885903f0918e5fd06020ae4c372abb04792c2e390c0f4167a

SHA512
b150aa1836a4a1c1e4d4c85728ec2edfb5d07aef8f92b3ac69ac5e8d4ab8dcbefa5b642ba74a7e14944183552c0e5840dcc060c592c5f219d603b4781fe472ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab9cb1c9-1987-447e-adde-b4a2c31f2b29.vbs

Filesize
524B

MD5
95a6aa63057570dc14bf1dc3ad2fd7e3

SHA1
f088b9d6de1034e4fdaf422bfb7d61cef9053dc1

SHA256
ec3f0f9a40fbbb28cb381007b481e5d86d37ce7603ea2d349f9b99bd7d073dc2

SHA512
8986fe242f21080444136e1271a1ad6fd58ca4e07d28947c3c077494d546a83b88bf466559ecb551435e8c8bbe42f32b7b44ffaa6befa0c8b13a4a5fd4d5be82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\dwm.exe

Filesize
1.8MB

MD5
dc938246d0195407e1578bdef85992fa

SHA1
f6888492dd6a8025e9b68b4ca48b0fc7d4cd03e2

SHA256
53436f5bd654da7455d80acf68f04305a490897f1580f0252011b984b6d22016

SHA512
83c3fa3d84070a5f656ec8b1f0e2f1ea9813d3989a93789d97dc23569cf4d1a15d0d13c6e2ef593f1577e1a3ff1acb0cadf20416c3384e40a74c53b3c44a83e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9d2deb9515917971fdad49b34af676ee

SHA1
56103d2b2f153db820c0ef3073e0234a47d4b9a3

SHA256
09238fcb19ccf25b113426904d3f558ce130b717dec0a4f49647c6e07616f5ca

SHA512
dbcb2a49a94566c2a574d9e819d70bea209dfe3fd4b6fe196c300474e389e32809a7bf768846118b4f6859cc8f658855791da683ced55188dda3d497a9011b17

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\smss.exe

Filesize
1.8MB

MD5
7ef44e6c54801a42dc9cff0bf0459036

SHA1
45322aee2375b98a8b443e08d5e9f58ac10e9e2d

SHA256
54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab

SHA512
dfdd479a802f308cc1b49886020cf420127dd87be5642d27452c3ee08198b1efbfca8358e62ed91141ed778ce3cef7ff154e0114eae27220ce81d6cd1acb5250

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\smss.exe

Filesize
1.8MB

MD5
6dd3d51f6a9022337245726ec065339a

SHA1
381628fa37d6aad0ca8d6386e6b97b214be1556e

SHA256
d6cb55592aa0c7776343acf599d2903617d40df591fcf476e0bcad25b12b88e9

SHA512
c126f1717d60fba19d4f3b411cb3c1bd61fd75265b62cb0477efdd0322730e80d1fec3a13ad7153e303d830150c1ac42a11641ffd8c1b2066deea29bfbf8058f

Download Submit
C:\Users\Default\dllhost.exe

Filesize
1.8MB

MD5
fff813ac810b860d1feace8044838878

SHA1
2a3390da749f127cadebb20fa01440be717aa5a6

SHA256
33930765595cf8b0fee90c749e18eac260d73579d2691777afcaa5810e92c500

SHA512
360ed5fcc434684341d5bc663594a6953198239799a283258659717fde1dc310ad634358e0b5ba4af9e92de0c5cbf036b93485f4c49dc54a16e5ccc06270aa42

Download Submit
C:\Windows\Vss\taskhost.exe

Filesize
1.8MB

MD5
8e432f00ce20792c87cf780fb99e1f99

SHA1
4303ec2f94ebe83ef1210836a1173738bcfc8f80

SHA256
df39e1529df3b5e226a07b9ca7c98fc654af3b5882caf6312cade996528574e5

SHA512
5dee48819f0194afc590c5ea9eea075906fadccfffba95e4a224431021bf253beb2f461d4bd727531406328d63e1e441ee24c9143e08fc3cb49ed66b92029de9

Download Submit
memory/2000-237-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2000-236-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2084-313-0x0000000000B10000-0x0000000000CDC000-memory.dmp

Filesize
1.8MB

Download
memory/3020-19-0x000000001A7B0000-0x000000001A7BC000-memory.dmp

Filesize
48KB

Download
memory/3020-9-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/3020-15-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/3020-16-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/3020-17-0x0000000000CF0000-0x0000000000CFE000-memory.dmp

Filesize
56KB

Download
memory/3020-0-0x000007FEF4C83000-0x000007FEF4C84000-memory.dmp

Filesize
4KB

Download
memory/3020-18-0x0000000000D40000-0x0000000000D48000-memory.dmp

Filesize
32KB

Download
memory/3020-20-0x000000001A7C0000-0x000000001A7CC000-memory.dmp

Filesize
48KB

Download
memory/3020-21-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-13-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/3020-12-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/3020-11-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/3020-10-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/3020-14-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/3020-176-0x000007FEF4C83000-0x000007FEF4C84000-memory.dmp

Filesize
4KB

Download
memory/3020-8-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/3020-7-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/3020-193-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-217-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3020-5-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/3020-4-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/3020-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/3020-319-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-2-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-1-0x0000000000D50000-0x0000000000F1C000-memory.dmp

Filesize
1.8MB

Download