dcrat | 7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Size

3.4MB
MD5

9040d1f68050a9b2533ac7e8b59c2aa0
SHA1

1b38a5284d4510423c0c4ac77066fc6eb41b9286
SHA256

7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67
SHA512

e2121c2d4156af7968d3e608affc33519933a9e8c3ae6b2ad49af059e3b6cca12b1e3f36bc0283df2ae9645c199192d45f6b1e8053af6adf08724d11791a1f39
SSDEEP

49152:s3GMesEktOcTPuKyI1qd5i6JTnl9gs6ToWbepfutWiNFg20+5J3pS8Dzy:nuEktPuu1qbhwDoWHgt+5JZS8fy

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat 42 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2076	schtasks.exe
File created	C:\Program Files\Windows Portable Devices\b75386f1303e64		7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
		1272	schtasks.exe
		2380	schtasks.exe
		656	schtasks.exe
		2064	schtasks.exe
		2960	schtasks.exe
		704	schtasks.exe
		2104	schtasks.exe
		1508	schtasks.exe
		1640	schtasks.exe
		2368	schtasks.exe
		1692	schtasks.exe
		2704	schtasks.exe
		300	schtasks.exe
		2196	schtasks.exe
		1768	schtasks.exe
		2948	schtasks.exe
		540	schtasks.exe
File created	C:\Program Files\Google\69ddcba757bf72		7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
		620	schtasks.exe
		2340	schtasks.exe
		2600	schtasks.exe
		1632	schtasks.exe
		1824	schtasks.exe
		692	schtasks.exe
		1332	schtasks.exe
		2112	schtasks.exe
		796	schtasks.exe
		2724	schtasks.exe
File created	C:\Windows\es-ES\886983d96e3d3e		7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
		680	schtasks.exe
		376	schtasks.exe
		1036	schtasks.exe
		2864	schtasks.exe
		1588	schtasks.exe
		1232	schtasks.exe
		2260	schtasks.exe
		1716	schtasks.exe
		2476	schtasks.exe
		2412	schtasks.exe
		1552	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2580	schtasks.exe	30

UAC bypass 3 TTPs 21 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2200-1-0x0000000000F60000-0x00000000012CA000-memory.dmp	dcrat
behavioral1/files/0x0007000000017429-46.dat	dcrat
behavioral1/memory/1964-54-0x00000000002B0000-0x000000000061A000-memory.dmp	dcrat
behavioral1/memory/1472-81-0x0000000000CF0000-0x000000000105A000-memory.dmp	dcrat
behavioral1/memory/2364-93-0x0000000000110000-0x000000000047A000-memory.dmp	dcrat
behavioral1/memory/2448-105-0x0000000000B80000-0x0000000000EEA000-memory.dmp	dcrat
behavioral1/memory/804-118-0x0000000001390000-0x00000000016FA000-memory.dmp	dcrat

Executes dropped EXE 5 IoCs

pid	Process
2032	taskhost.exe
1472	taskhost.exe
2364	taskhost.exe
2448	taskhost.exe
804	taskhost.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com
18	pastebin.com
22	pastebin.com
4	pastebin.com
5	pastebin.com
10	pastebin.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Google\smss.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
File created	C:\Program Files\Google\69ddcba757bf72	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
File created	C:\Program Files\Windows Portable Devices\taskhost.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
File created	C:\Program Files\Windows Portable Devices\b75386f1303e64	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
File created	C:\Program Files\Reference Assemblies\taskhost.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
File created	C:\Program Files\Reference Assemblies\b75386f1303e64	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\PLA\System\7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
File created	C:\Windows\PLA\System\9a88ec54eb34bf	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\Idle.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\6ccacd8608530f	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\es-ES\WmiPrvSE.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
File created	C:\Windows\es-ES\csrss.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
File opened for modification	C:\Windows\es-ES\csrss.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
File created	C:\Windows\es-ES\886983d96e3d3e	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2476	schtasks.exe
1716	schtasks.exe
680	schtasks.exe
2368	schtasks.exe
2260	schtasks.exe
2724	schtasks.exe
2340	schtasks.exe
1272	schtasks.exe
2412	schtasks.exe
2064	schtasks.exe
1692	schtasks.exe
704	schtasks.exe
620	schtasks.exe
2960	schtasks.exe
1824	schtasks.exe
1632	schtasks.exe
2948	schtasks.exe
1588	schtasks.exe
540	schtasks.exe
2704	schtasks.exe
796	schtasks.exe
1508	schtasks.exe
1552	schtasks.exe
2864	schtasks.exe
2600	schtasks.exe
2196	schtasks.exe
2380	schtasks.exe
656	schtasks.exe
1768	schtasks.exe
2104	schtasks.exe
2076	schtasks.exe
692	schtasks.exe
1232	schtasks.exe
376	schtasks.exe
1036	schtasks.exe
2112	schtasks.exe
300	schtasks.exe
1332	schtasks.exe
1640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2200	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
2200	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
2200	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
2200	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
2200	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
2200	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
2200	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
2200	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
2200	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
2200	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
2200	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
2200	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
2200	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
1964	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
1964	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
1964	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
1964	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
1964	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
1964	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
1964	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
1472	taskhost.exe
2364	taskhost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Token: SeDebugPrivilege	1964	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Token: SeDebugPrivilege	1472	taskhost.exe
Token: SeDebugPrivilege	2364	taskhost.exe
Token: SeDebugPrivilege	2448	taskhost.exe
Token: SeDebugPrivilege	804	taskhost.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2904	2200	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe	46
PID 2200 wrote to memory of 2904	2200	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe	46
PID 2200 wrote to memory of 2904	2200	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe	46
PID 2904 wrote to memory of 1996	2904	cmd.exe	48
PID 2904 wrote to memory of 1996	2904	cmd.exe	48
PID 2904 wrote to memory of 1996	2904	cmd.exe	48
PID 2904 wrote to memory of 1964	2904	cmd.exe	49
PID 2904 wrote to memory of 1964	2904	cmd.exe	49
PID 2904 wrote to memory of 1964	2904	cmd.exe	49
PID 1964 wrote to memory of 2032	1964	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe	74
PID 1964 wrote to memory of 2032	1964	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe	74
PID 1964 wrote to memory of 2032	1964	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe	74
PID 2552 wrote to memory of 1472	2552	WScript.exe	77
PID 2552 wrote to memory of 1472	2552	WScript.exe	77
PID 2552 wrote to memory of 1472	2552	WScript.exe	77
PID 1472 wrote to memory of 1456	1472	taskhost.exe	79
PID 1472 wrote to memory of 1456	1472	taskhost.exe	79
PID 1472 wrote to memory of 1456	1472	taskhost.exe	79
PID 1472 wrote to memory of 1072	1472	taskhost.exe	80
PID 1472 wrote to memory of 1072	1472	taskhost.exe	80
PID 1472 wrote to memory of 1072	1472	taskhost.exe	80
PID 1456 wrote to memory of 2364	1456	WScript.exe	81
PID 1456 wrote to memory of 2364	1456	WScript.exe	81
PID 1456 wrote to memory of 2364	1456	WScript.exe	81
PID 2364 wrote to memory of 1520	2364	taskhost.exe	82
PID 2364 wrote to memory of 1520	2364	taskhost.exe	82
PID 2364 wrote to memory of 1520	2364	taskhost.exe	82
PID 2364 wrote to memory of 1732	2364	taskhost.exe	83
PID 2364 wrote to memory of 1732	2364	taskhost.exe	83
PID 2364 wrote to memory of 1732	2364	taskhost.exe	83
PID 1520 wrote to memory of 2448	1520	WScript.exe	84
PID 1520 wrote to memory of 2448	1520	WScript.exe	84
PID 1520 wrote to memory of 2448	1520	WScript.exe	84
PID 2448 wrote to memory of 2060	2448	taskhost.exe	85
PID 2448 wrote to memory of 2060	2448	taskhost.exe	85
PID 2448 wrote to memory of 2060	2448	taskhost.exe	85
PID 2448 wrote to memory of 2436	2448	taskhost.exe	86
PID 2448 wrote to memory of 2436	2448	taskhost.exe	86
PID 2448 wrote to memory of 2436	2448	taskhost.exe	86
PID 2060 wrote to memory of 804	2060	WScript.exe	87
PID 2060 wrote to memory of 804	2060	WScript.exe	87
PID 2060 wrote to memory of 804	2060	WScript.exe	87
PID 804 wrote to memory of 1292	804	taskhost.exe	88
PID 804 wrote to memory of 1292	804	taskhost.exe	88
PID 804 wrote to memory of 1292	804	taskhost.exe	88
PID 804 wrote to memory of 2300	804	taskhost.exe	89
PID 804 wrote to memory of 2300	804	taskhost.exe	89
PID 804 wrote to memory of 2300	804	taskhost.exe	89

System policy modification 1 TTPs 21 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
"C:\Users\Admin\AppData\Local\Temp\7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OCbiMBVseT.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1996
- - C:\Users\Admin\AppData\Local\Temp\7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe
    "C:\Users\Admin\AppData\Local\Temp\7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe"
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1964
  - - C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe
      "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System policy modification
      PID:2032
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d5dbba2-a9e2-43af-8c29-0f25071b7a0c.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82c35f36-5a65-4370-bc8e-4951ed39c55c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\982126e1-20a2-4a4b-895c-4466481e5aa9.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08e41193-f44c-4019-b9f8-26610b480879.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17d91de1-ce9b-4132-91fc-8558d290f424.vbs"
        13⤵
        
        PID:1292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cff54376-6056-4531-b0c7-8bb61fc3cfdc.vbs"
        13⤵
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd66a94d-f4cc-4090-9685-54bf0769a84a.vbs"
        11⤵
        
        PID:2436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78389845-0ec8-46d7-9163-d7b681e291e1.vbs"
        9⤵
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bb7e258-946d-408f-8b78-147babc6625c.vbs"
        7⤵
        
        PID:1072
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9561966-701e-4347-bb85-5a23629f19c2.vbs"
        5⤵
        
        PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Google\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b677" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\System\7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67" /sc ONLOGON /tr "'C:\Windows\PLA\System\7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b677" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\System\7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\b75386f1303e64

Filesize
983B

MD5
133f10ef00395f0f8706334d4c5d4011

SHA1
98a54d53a205142949295da9916be148e01527f0

SHA256
b4eb76a0fa3c6a84a5156c87f0cab8fb5c7d84c4a5f59460f8a18103c4af87ae

SHA512
edd7371c7cef9cef4297cf1d0dea615633c0a6d113f4238569e748e8a739030a29d37fa43288bcf53eb0fadd64605ab655d76ee5eed77d0e7f2e2c99f82e182a

Download Submit
C:\Program Files\Windows Portable Devices\taskhost.exe

Filesize
3.4MB

MD5
9040d1f68050a9b2533ac7e8b59c2aa0

SHA1
1b38a5284d4510423c0c4ac77066fc6eb41b9286

SHA256
7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67

SHA512
e2121c2d4156af7968d3e608affc33519933a9e8c3ae6b2ad49af059e3b6cca12b1e3f36bc0283df2ae9645c199192d45f6b1e8053af6adf08724d11791a1f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\08e41193-f44c-4019-b9f8-26610b480879.vbs

Filesize
751B

MD5
bfa41076d1d72eb9accadfb9a83315d4

SHA1
38c7d16b356e3c3118292e331b8403a11fa89060

SHA256
f0a2878680b0f41c0110dd7b26c080986b94133667f9aa2d9611b89aaafa9974

SHA512
46391777d9bad3b9dd87951adda18dd1069f8dae22098dc33bfb4bcdae991ebc623c38ac0ef91b0b5ee5fd1e35401a680d7a8c3289ce7e40cc80db0b15419888

Download Submit
C:\Users\Admin\AppData\Local\Temp\17d91de1-ce9b-4132-91fc-8558d290f424.vbs

Filesize
750B

MD5
871f22be3553ad2cab65f0de3e85e0b3

SHA1
3b9db6dc2aa46cfa156895684dc5270d17283bfc

SHA256
18ccb17d71fdca71e068f15cab413613ff9a5a0e078616f59694f5e89703d869

SHA512
ffba105e957ca0a0b361034bab118fb0a1439d35dffea5191a36e6ba09e7d5548195ea259710b2c316c7dc067ab9852eb858e43324befd3575534b2720ecd118

Download Submit
C:\Users\Admin\AppData\Local\Temp\3bb7e258-946d-408f-8b78-147babc6625c.vbs

Filesize
527B

MD5
eb88d1e07f44f41fadf975c7b8f1e454

SHA1
1f56f16c3e3fda48f80414289d80e6c0c41a07a3

SHA256
2acae1234c463587dd0ae67efa3f7bd0dcf40cb39c5f733a6bfcbb296d9a62d9

SHA512
5e9d949d7c32468f5723dca64c9345ab31960cd015d8347ef393ceef70c699d681a3a154737da208d7f9f7394593bbbbd3016ca4449c6c20c32f242e5a48c51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\82c35f36-5a65-4370-bc8e-4951ed39c55c.vbs

Filesize
751B

MD5
e7e51bafe114e74bf569ccb54ddccac1

SHA1
c571b993fa6c6727897c0c7221dc5dd9c042aa4a

SHA256
3bd03661bb8cf90388e3078e06393d6a258b1855e900be579b7cd1d943461bea

SHA512
b624067db940da6413bb2d3064377a70a104a8fb9e4a6cdd2850f6ca36543c5956e9e5b44dcb8742ce2aa168b7d48f0de3359f6794155bac45e04a3dfdf6e4b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\982126e1-20a2-4a4b-895c-4466481e5aa9.vbs

Filesize
751B

MD5
02dbc87f7b12d6910ca31e0ead39a1c7

SHA1
c601e2b447518e21202abebacb9987211c74082e

SHA256
06eebbf58021dd84eb51dab44e23c55f912df2dc18a5556a14a90b699afd2660

SHA512
beb71245fab20d63ee342d48176a1751c0435ded271a632f5f77ec4be3b7bf92e16d35f96695d2dee77ed606c369a96c6702ba45a9686e983203c0200cb7e74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCbiMBVseT.bat

Filesize
267B

MD5
93c7639c56a270c736adf2b2f90584e3

SHA1
98f62960a33c1a9f4f9afb47e62ab59825903221

SHA256
2dab081273be05ed5fcc3d899f5bcd629d1948d35bceb8aea4f6053237155ff7

SHA512
0f15bd5ca7dccb6a52d25daa3d5f567533ec2e8340a0063e33b6dee9bc83d4dd0bf276c4421b40539f6e7b6a5ab2a6c476f69139b8572869a03f3e7662f893ff

Download Submit
memory/804-118-0x0000000001390000-0x00000000016FA000-memory.dmp

Filesize
3.4MB

Download
memory/804-119-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/1472-81-0x0000000000CF0000-0x000000000105A000-memory.dmp

Filesize
3.4MB

Download
memory/1472-82-0x00000000007D0000-0x00000000007E2000-memory.dmp

Filesize
72KB

Download
memory/1964-55-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1964-54-0x00000000002B0000-0x000000000061A000-memory.dmp

Filesize
3.4MB

Download
memory/2200-32-0x000000001AA80000-0x000000001AA8E000-memory.dmp

Filesize
56KB

Download
memory/2200-12-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/2200-37-0x000000001ABD0000-0x000000001ABDC000-memory.dmp

Filesize
48KB

Download
memory/2200-36-0x000000001ABC0000-0x000000001ABCA000-memory.dmp

Filesize
40KB

Download
memory/2200-0-0x000007FEF5073000-0x000007FEF5074000-memory.dmp

Filesize
4KB

Download
memory/2200-53-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2200-26-0x0000000000F30000-0x0000000000F3C000-memory.dmp

Filesize
48KB

Download
memory/2200-35-0x000000001ABB0000-0x000000001ABB8000-memory.dmp

Filesize
32KB

Download
memory/2200-34-0x000000001AAA0000-0x000000001AAAC000-memory.dmp

Filesize
48KB

Download
memory/2200-33-0x000000001AA90000-0x000000001AA98000-memory.dmp

Filesize
32KB

Download
memory/2200-30-0x000000001AA60000-0x000000001AA6E000-memory.dmp

Filesize
56KB

Download
memory/2200-29-0x000000001AA50000-0x000000001AA5A000-memory.dmp

Filesize
40KB

Download
memory/2200-28-0x0000000000F50000-0x0000000000F5C000-memory.dmp

Filesize
48KB

Download
memory/2200-27-0x0000000000F40000-0x0000000000F48000-memory.dmp

Filesize
32KB

Download
memory/2200-25-0x0000000000EE0000-0x0000000000EEC000-memory.dmp

Filesize
48KB

Download
memory/2200-24-0x0000000000ED0000-0x0000000000ED8000-memory.dmp

Filesize
32KB

Download
memory/2200-22-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/2200-20-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/2200-18-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/2200-16-0x0000000000DB0000-0x0000000000E06000-memory.dmp

Filesize
344KB

Download
memory/2200-13-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/2200-31-0x000000001AA70000-0x000000001AA78000-memory.dmp

Filesize
32KB

Download
memory/2200-10-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/2200-9-0x0000000000B60000-0x0000000000B76000-memory.dmp

Filesize
88KB

Download
memory/2200-8-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/2200-7-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/2200-5-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/2200-23-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

Filesize
48KB

Download
memory/2200-21-0x0000000000E00000-0x0000000000E12000-memory.dmp

Filesize
72KB

Download
memory/2200-19-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/2200-17-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/2200-15-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/2200-14-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/2200-11-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/2200-1-0x0000000000F60000-0x00000000012CA000-memory.dmp

Filesize
3.4MB

Download
memory/2200-6-0x00000000004F0000-0x000000000050C000-memory.dmp

Filesize
112KB

Download
memory/2200-2-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2200-3-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/2200-4-0x00000000004D0000-0x00000000004DE000-memory.dmp

Filesize
56KB

Download
memory/2364-93-0x0000000000110000-0x000000000047A000-memory.dmp

Filesize
3.4MB

Download
memory/2448-106-0x000000001A9C0000-0x000000001A9D2000-memory.dmp

Filesize
72KB

Download
memory/2448-105-0x0000000000B80000-0x0000000000EEA000-memory.dmp

Filesize
3.4MB

Download