dcrat | d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
Size

3.4MB
MD5

54454792b2656605daffe22adb7750c0
SHA1

14bc4b6c3b169b26efcb22b9dd913c9bdcb25c61
SHA256

d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676
SHA512

279c5bd9e09e45e86df9cd2421aa0a61f724ad8332e0f5409d33ed2ecea4ad4b38ed9c71e67184f08ff23088df5652d75afbb793eded50ef8230effd2597b679
SSDEEP

49152:s3GMesEktOcTPuKyI1qd5i6JTnl9gs6ToWbepfutWiNFg20+5J3pS8Dzy8:nuEktPuu1qbhwDoWHgt+5JZS8fy8

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2888	schtasks.exe	30

UAC bypass 3 TTPs 18 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1288-1-0x0000000000060000-0x00000000003CA000-memory.dmp	dcrat
behavioral1/files/0x00050000000194c3-46.dat	dcrat
behavioral1/memory/2748-82-0x0000000000900000-0x0000000000C6A000-memory.dmp	dcrat
behavioral1/memory/1820-105-0x00000000009A0000-0x0000000000D0A000-memory.dmp	dcrat
behavioral1/memory/1072-117-0x0000000000F60000-0x00000000012CA000-memory.dmp	dcrat
behavioral1/memory/2592-129-0x0000000000FB0000-0x000000000131A000-memory.dmp	dcrat

Executes dropped EXE 5 IoCs

pid	Process
2748	services.exe
2960	services.exe
1820	services.exe
1072	services.exe
2592	services.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com
10	pastebin.com
14	pastebin.com
18	pastebin.com
22	pastebin.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\WmiPrvSE.exe	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\es-ES\d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
File created	C:\Program Files\Windows Journal\es-ES\44506943657463	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
File created	C:\Program Files (x86)\Uninstall Information\lsass.exe	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
File created	C:\Program Files (x86)\Uninstall Information\6203df4a6bafc7	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\886983d96e3d3e	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\44506943657463	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\services.exe	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\c5b4cb5e9653cc	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Themes\services.exe	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
File created	C:\Windows\Resources\Themes\c5b4cb5e9653cc	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
File created	C:\Windows\Migration\WTR\spoolsv.exe	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
File created	C:\Windows\Migration\WTR\f3b6ecef712a24	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Favorites\services.exe	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Favorites\c5b4cb5e9653cc	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
File created	C:\Windows\rescache\rc0005\dllhost.exe	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2936	schtasks.exe
2724	schtasks.exe
536	schtasks.exe
1956	schtasks.exe
1336	schtasks.exe
2692	schtasks.exe
800	schtasks.exe
584	schtasks.exe
1796	schtasks.exe
1784	schtasks.exe
1300	schtasks.exe
2296	schtasks.exe
1636	schtasks.exe
3016	schtasks.exe
2488	schtasks.exe
2624	schtasks.exe
780	schtasks.exe
708	schtasks.exe
1508	schtasks.exe
476	schtasks.exe
1628	schtasks.exe
2076	schtasks.exe
2292	schtasks.exe
2824	schtasks.exe
2896	schtasks.exe
3064	schtasks.exe
2272	schtasks.exe
448	schtasks.exe
2308	schtasks.exe
3036	schtasks.exe
2856	schtasks.exe
2592	schtasks.exe
3044	schtasks.exe
2588	schtasks.exe
2760	schtasks.exe
2960	schtasks.exe
2284	schtasks.exe
2956	schtasks.exe
1876	schtasks.exe
1064	schtasks.exe
2916	schtasks.exe
1868	schtasks.exe
2196	schtasks.exe
2108	schtasks.exe
1364	schtasks.exe
2800	schtasks.exe
1576	schtasks.exe
1584	schtasks.exe
1404	schtasks.exe
1760	schtasks.exe
2404	schtasks.exe
2276	schtasks.exe
1616	schtasks.exe
2392	schtasks.exe
2428	schtasks.exe
848	schtasks.exe
2752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe
2960	services.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
Token: SeDebugPrivilege	2748	services.exe
Token: SeDebugPrivilege	2960	services.exe
Token: SeDebugPrivilege	1820	services.exe
Token: SeDebugPrivilege	1072	services.exe
Token: SeDebugPrivilege	2592	services.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2748	1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe	88
PID 1288 wrote to memory of 2748	1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe	88
PID 1288 wrote to memory of 2748	1288	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe	88
PID 2748 wrote to memory of 1668	2748	services.exe	89
PID 2748 wrote to memory of 1668	2748	services.exe	89
PID 2748 wrote to memory of 1668	2748	services.exe	89
PID 2748 wrote to memory of 2964	2748	services.exe	90
PID 2748 wrote to memory of 2964	2748	services.exe	90
PID 2748 wrote to memory of 2964	2748	services.exe	90
PID 1668 wrote to memory of 2960	1668	WScript.exe	92
PID 1668 wrote to memory of 2960	1668	WScript.exe	92
PID 1668 wrote to memory of 2960	1668	WScript.exe	92
PID 2960 wrote to memory of 2920	2960	services.exe	93
PID 2960 wrote to memory of 2920	2960	services.exe	93
PID 2960 wrote to memory of 2920	2960	services.exe	93
PID 2960 wrote to memory of 1800	2960	services.exe	94
PID 2960 wrote to memory of 1800	2960	services.exe	94
PID 2960 wrote to memory of 1800	2960	services.exe	94
PID 2920 wrote to memory of 1820	2920	WScript.exe	95
PID 2920 wrote to memory of 1820	2920	WScript.exe	95
PID 2920 wrote to memory of 1820	2920	WScript.exe	95
PID 1820 wrote to memory of 324	1820	services.exe	96
PID 1820 wrote to memory of 324	1820	services.exe	96
PID 1820 wrote to memory of 324	1820	services.exe	96
PID 1820 wrote to memory of 884	1820	services.exe	97
PID 1820 wrote to memory of 884	1820	services.exe	97
PID 1820 wrote to memory of 884	1820	services.exe	97
PID 324 wrote to memory of 1072	324	WScript.exe	98
PID 324 wrote to memory of 1072	324	WScript.exe	98
PID 324 wrote to memory of 1072	324	WScript.exe	98
PID 1072 wrote to memory of 2160	1072	services.exe	99
PID 1072 wrote to memory of 2160	1072	services.exe	99
PID 1072 wrote to memory of 2160	1072	services.exe	99
PID 1072 wrote to memory of 1608	1072	services.exe	100
PID 1072 wrote to memory of 1608	1072	services.exe	100
PID 1072 wrote to memory of 1608	1072	services.exe	100
PID 2160 wrote to memory of 2592	2160	WScript.exe	101
PID 2160 wrote to memory of 2592	2160	WScript.exe	101
PID 2160 wrote to memory of 2592	2160	WScript.exe	101
PID 2592 wrote to memory of 2244	2592	services.exe	102
PID 2592 wrote to memory of 2244	2592	services.exe	102
PID 2592 wrote to memory of 2244	2592	services.exe	102
PID 2592 wrote to memory of 1716	2592	services.exe	103
PID 2592 wrote to memory of 1716	2592	services.exe	103
PID 2592 wrote to memory of 1716	2592	services.exe	103

System policy modification 1 TTPs 18 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
"C:\Users\Admin\AppData\Local\Temp\d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1288
- C:\Windows\ServiceProfiles\NetworkService\Favorites\services.exe
  "C:\Windows\ServiceProfiles\NetworkService\Favorites\services.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2748
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f74421a8-bdee-4329-86b6-456bf3c7d17c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\ServiceProfiles\NetworkService\Favorites\services.exe
      C:\Windows\ServiceProfiles\NetworkService\Favorites\services.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2960
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c0a531c-b4d3-44b5-a040-ff0fa92f369a.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\ServiceProfiles\NetworkService\Favorites\services.exe
        
        C:\Windows\ServiceProfiles\NetworkService\Favorites\services.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5070d8f6-194d-45ae-bda2-d9db65c1f5da.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\ServiceProfiles\NetworkService\Favorites\services.exe
        
        C:\Windows\ServiceProfiles\NetworkService\Favorites\services.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd75afb8-3ab9-458d-9019-4637129d9386.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\ServiceProfiles\NetworkService\Favorites\services.exe
        
        C:\Windows\ServiceProfiles\NetworkService\Favorites\services.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c453862-698b-4e33-a9d9-dc308b6f0b6c.vbs"
        11⤵
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5ca6063-53bf-410b-87ee-397ab96eaa54.vbs"
        11⤵
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d932405-e530-4c03-a964-09f95427e403.vbs"
        9⤵
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad02deae-7b70-4dfa-9ce9-b6ef7e282dbc.vbs"
        7⤵
        
        PID:884
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ec5205a-9a70-4a54-a078-bc98d7914af0.vbs"
        5⤵
        
        PID:1800
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f3d9cad-a737-4742-8162-6c459d62b806.vbs"
    3⤵
    PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Local Settings\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Local Settings\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Resources\Themes\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\AppData\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\AppData\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676d" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676d" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\NetworkService\Favorites\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Favorites\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\NetworkService\Favorites\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676d" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\es-ES\d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676d" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\es-ES\d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Templates\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\plugins\misc\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\misc\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\plugins\misc\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lsm.exe

Filesize
3.4MB

MD5
54454792b2656605daffe22adb7750c0

SHA1
14bc4b6c3b169b26efcb22b9dd913c9bdcb25c61

SHA256
d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676

SHA512
279c5bd9e09e45e86df9cd2421aa0a61f724ad8332e0f5409d33ed2ecea4ad4b38ed9c71e67184f08ff23088df5652d75afbb793eded50ef8230effd2597b679

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3d9cad-a737-4742-8162-6c459d62b806.vbs

Filesize
516B

MD5
cf4f629ecf8d3f3e370f3f01f73ea165

SHA1
f82738f1e9c3d04068b624188a7c22479a9c54a7

SHA256
39f0128747c70c699bc2dbd426174dbee77f93929a074abd6566e91169b99afa

SHA512
6247f55a31911218da6a089782a12a4e719c0edd8d2a39c54924805a50298be20946451369fc664208e378953ff832ea6f8baf7ccc1f88ddf945119f9d1f3d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\5070d8f6-194d-45ae-bda2-d9db65c1f5da.vbs

Filesize
740B

MD5
a56a9d3d2e1a52a443b444d278f1db9b

SHA1
384da7b843cd9fd3506530e30265fe5a83dcf660

SHA256
fc014ae62ba15336c769457e49215ab2c44e36d4eab561aec45018213a1cef96

SHA512
61d64b44d7a0f7de9ed68b1bef8b255329a2ab79fc87c88d3707e68981a0422926cf7fedeb33ae4d0a027fd1b497f81df617645c84385b964395c224e2fb0a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c0a531c-b4d3-44b5-a040-ff0fa92f369a.vbs

Filesize
740B

MD5
21a557186b1aa5be7d6d9ae299e1a743

SHA1
08382f2086d0d8b9180e2dfada022e13d8ebece7

SHA256
5676ad874d2381e792374135db4a5491594e2d2cbf7f71178b4c2a03263ae234

SHA512
d6f1133e3877a1e03a426e2b38fd158305519a0cf9f94f80e5965877954b5e66e1156e2a125c14e9ce0d9a06956547590da493925ebc8ead1d9fe7475a2ce691

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c453862-698b-4e33-a9d9-dc308b6f0b6c.vbs

Filesize
740B

MD5
30702b0049b0e77bab4496924e86834a

SHA1
a4bfea730bb417660c49a304bd8fe78fadc0d60f

SHA256
c1e13fa1040c0712734f88c7c80ec0c76d1182b5d3ff32ab7cad721968a78b8b

SHA512
e29349ce43b1855259e8c7edcc3540a9a851713f3179ebbca27e0298088b51aad1294a6ee1f9948afc20658acf78b335ac1560d69e1dbd32778c22edc74f0372

Download Submit
C:\Users\Admin\AppData\Local\Temp\f74421a8-bdee-4329-86b6-456bf3c7d17c.vbs

Filesize
740B

MD5
4eadd6a77c73145b8b71b3c096b3b6da

SHA1
4bc9b19e7ea5834719aa414c06c5c956861d01ac

SHA256
4c25e8caa55e5950ff65fc757698ba4be6d95bbafbb748db85b0a959f733d232

SHA512
1fab73c7471a1f03c5751e27b95e1d7e3d4927152d36f44b75ad44f7db90fe9508c0c479db2a9b4e9ca572ad80dde205ee4315c21cdb616651734f2a3a750655

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd75afb8-3ab9-458d-9019-4637129d9386.vbs

Filesize
740B

MD5
aa579d9f467d6c44d7fe753a36dbe2c6

SHA1
57713e11f25184b730094bfe74740ae4ea7f5e33

SHA256
0c0e0faac1e6ad57fb8026982c1e1b3b887fb8c380b9316fcdb248d05af250b1

SHA512
9a76d48a838dd91b2a8a8f73458913306054227ef64070ba8d32bdda7b534b5fe4f655bc9479179ebc45a612aa01dcb30469b4b7cc9910d6a075eadfe2e7d0ae

Download Submit
memory/1072-117-0x0000000000F60000-0x00000000012CA000-memory.dmp

Filesize
3.4MB

Download
memory/1288-19-0x00000000023C0000-0x00000000023CC000-memory.dmp

Filesize
48KB

Download
memory/1288-24-0x000000001AAA0000-0x000000001AAA8000-memory.dmp

Filesize
32KB

Download
memory/1288-5-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/1288-6-0x00000000005E0000-0x00000000005FC000-memory.dmp

Filesize
112KB

Download
memory/1288-7-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/1288-8-0x0000000000620000-0x0000000000630000-memory.dmp

Filesize
64KB

Download
memory/1288-9-0x00000000007B0000-0x00000000007C6000-memory.dmp

Filesize
88KB

Download
memory/1288-10-0x00000000007D0000-0x00000000007D8000-memory.dmp

Filesize
32KB

Download
memory/1288-11-0x00000000007E0000-0x00000000007F2000-memory.dmp

Filesize
72KB

Download
memory/1288-12-0x0000000000990000-0x000000000099C000-memory.dmp

Filesize
48KB

Download
memory/1288-13-0x00000000007F0000-0x00000000007F8000-memory.dmp

Filesize
32KB

Download
memory/1288-14-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/1288-15-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/1288-16-0x0000000002270000-0x00000000022C6000-memory.dmp

Filesize
344KB

Download
memory/1288-17-0x00000000009C0000-0x00000000009CC000-memory.dmp

Filesize
48KB

Download
memory/1288-18-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/1288-3-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/1288-20-0x00000000023D0000-0x00000000023D8000-memory.dmp

Filesize
32KB

Download
memory/1288-21-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/1288-22-0x000000001AA80000-0x000000001AA8C000-memory.dmp

Filesize
48KB

Download
memory/1288-23-0x000000001AA90000-0x000000001AA9C000-memory.dmp

Filesize
48KB

Download
memory/1288-4-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/1288-25-0x000000001ABB0000-0x000000001ABBC000-memory.dmp

Filesize
48KB

Download
memory/1288-26-0x000000001ABC0000-0x000000001ABCC000-memory.dmp

Filesize
48KB

Download
memory/1288-27-0x000000001ABD0000-0x000000001ABD8000-memory.dmp

Filesize
32KB

Download
memory/1288-28-0x000000001ABE0000-0x000000001ABEC000-memory.dmp

Filesize
48KB

Download
memory/1288-29-0x000000001ABF0000-0x000000001ABFA000-memory.dmp

Filesize
40KB

Download
memory/1288-30-0x000000001AC00000-0x000000001AC0E000-memory.dmp

Filesize
56KB

Download
memory/1288-32-0x000000001AC20000-0x000000001AC2E000-memory.dmp

Filesize
56KB

Download
memory/1288-31-0x000000001AC10000-0x000000001AC18000-memory.dmp

Filesize
32KB

Download
memory/1288-33-0x000000001AC30000-0x000000001AC38000-memory.dmp

Filesize
32KB

Download
memory/1288-34-0x000000001AC40000-0x000000001AC4C000-memory.dmp

Filesize
48KB

Download
memory/1288-35-0x000000001AC50000-0x000000001AC58000-memory.dmp

Filesize
32KB

Download
memory/1288-36-0x000000001AC60000-0x000000001AC6A000-memory.dmp

Filesize
40KB

Download
memory/1288-37-0x000000001B040000-0x000000001B04C000-memory.dmp

Filesize
48KB

Download
memory/1288-83-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/1288-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/1288-1-0x0000000000060000-0x00000000003CA000-memory.dmp

Filesize
3.4MB

Download
memory/1288-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/1820-105-0x00000000009A0000-0x0000000000D0A000-memory.dmp

Filesize
3.4MB

Download
memory/2592-129-0x0000000000FB0000-0x000000000131A000-memory.dmp

Filesize
3.4MB

Download
memory/2748-82-0x0000000000900000-0x0000000000C6A000-memory.dmp

Filesize
3.4MB

Download