dcrat | 3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bc68db77e687fa52b2f367994c5bc6f.exe
Size

2.5MB
MD5

0bc68db77e687fa52b2f367994c5bc6f
SHA1

ecf69c28aa53920f6279ad29d5bc9bb02542e841
SHA256

3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987
SHA512

fdb5c57a9a86961e895159543196c9b59c810827d82d7610ab8f9e220125f25c1867eae376c2f2aa1ae19b7899cd746dc18f6a56486cd4449766325a135421a1
SSDEEP

49152:ubA3jUx4QdTmxnMJUh+pDY92IXc3Mx+HqXQJc2cv1TDlHz:ubVdPpDYbNiIP2cvxZHz

Score

10^/10

dcrat discovery evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\winlogon.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\spoolsv.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\""	SavesintoHost.exe

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	1584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	1584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	1584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	1584	schtasks.exe	35

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SavesintoHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SavesintoHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SavesintoHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000193f9-14.dat	dcrat
behavioral1/memory/2568-18-0x00000000009D0000-0x0000000000C0E000-memory.dmp	dcrat
behavioral1/memory/2392-63-0x0000000000290000-0x00000000004CE000-memory.dmp	dcrat
behavioral1/memory/1888-75-0x0000000001270000-0x00000000014AE000-memory.dmp	dcrat
behavioral1/memory/2680-87-0x00000000012E0000-0x000000000151E000-memory.dmp	dcrat
behavioral1/memory/1148-99-0x00000000003E0000-0x000000000061E000-memory.dmp	dcrat
behavioral1/memory/1932-112-0x0000000000F80000-0x00000000011BE000-memory.dmp	dcrat
behavioral1/memory/352-125-0x00000000012D0000-0x000000000150E000-memory.dmp	dcrat
behavioral1/memory/2780-170-0x0000000000120000-0x000000000035E000-memory.dmp	dcrat
behavioral1/memory/2828-183-0x0000000000390000-0x00000000005CE000-memory.dmp	dcrat

Executes dropped EXE 12 IoCs

pid	Process
2568	SavesintoHost.exe
2392	spoolsv.exe
1888	spoolsv.exe
2680	spoolsv.exe
1148	spoolsv.exe
1932	spoolsv.exe
352	spoolsv.exe
1264	spoolsv.exe
1532	spoolsv.exe
1048	spoolsv.exe
2780	spoolsv.exe
2828	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2688	cmd.exe
2688	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\spoolsv.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\system\\winlogon.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\system\\winlogon.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\spoolsv.exe\""	SavesintoHost.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SavesintoHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SavesintoHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system\winlogon.exe	SavesintoHost.exe
File opened for modification	C:\Windows\system\winlogon.exe	SavesintoHost.exe
File created	C:\Windows\system\cc11b995f2a76d	SavesintoHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bc68db77e687fa52b2f367994c5bc6f.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2888	schtasks.exe
1748	schtasks.exe
2012	schtasks.exe
1244	schtasks.exe
2632	schtasks.exe
2472	schtasks.exe
1612	schtasks.exe
2908	schtasks.exe
2768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2568	SavesintoHost.exe
2568	SavesintoHost.exe
2568	SavesintoHost.exe
2568	SavesintoHost.exe
2568	SavesintoHost.exe
2568	SavesintoHost.exe
2568	SavesintoHost.exe
2568	SavesintoHost.exe
2568	SavesintoHost.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
2392	spoolsv.exe
1888	spoolsv.exe
1888	spoolsv.exe
1888	spoolsv.exe
1888	spoolsv.exe
1888	spoolsv.exe
1888	spoolsv.exe
1888	spoolsv.exe
1888	spoolsv.exe
1888	spoolsv.exe
1888	spoolsv.exe
1888	spoolsv.exe
1888	spoolsv.exe
1888	spoolsv.exe
1888	spoolsv.exe
1888	spoolsv.exe
1888	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	SavesintoHost.exe
Token: SeDebugPrivilege	2392	spoolsv.exe
Token: SeDebugPrivilege	1888	spoolsv.exe
Token: SeDebugPrivilege	2680	spoolsv.exe
Token: SeDebugPrivilege	1148	spoolsv.exe
Token: SeDebugPrivilege	1932	spoolsv.exe
Token: SeDebugPrivilege	352	spoolsv.exe
Token: SeDebugPrivilege	1264	spoolsv.exe
Token: SeDebugPrivilege	1532	spoolsv.exe
Token: SeDebugPrivilege	1048	spoolsv.exe
Token: SeDebugPrivilege	2780	spoolsv.exe
Token: SeDebugPrivilege	2828	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2728	2684	0bc68db77e687fa52b2f367994c5bc6f.exe	30
PID 2684 wrote to memory of 2728	2684	0bc68db77e687fa52b2f367994c5bc6f.exe	30
PID 2684 wrote to memory of 2728	2684	0bc68db77e687fa52b2f367994c5bc6f.exe	30
PID 2684 wrote to memory of 2728	2684	0bc68db77e687fa52b2f367994c5bc6f.exe	30
PID 2684 wrote to memory of 2704	2684	0bc68db77e687fa52b2f367994c5bc6f.exe	31
PID 2684 wrote to memory of 2704	2684	0bc68db77e687fa52b2f367994c5bc6f.exe	31
PID 2684 wrote to memory of 2704	2684	0bc68db77e687fa52b2f367994c5bc6f.exe	31
PID 2684 wrote to memory of 2704	2684	0bc68db77e687fa52b2f367994c5bc6f.exe	31
PID 2728 wrote to memory of 2688	2728	WScript.exe	32
PID 2728 wrote to memory of 2688	2728	WScript.exe	32
PID 2728 wrote to memory of 2688	2728	WScript.exe	32
PID 2728 wrote to memory of 2688	2728	WScript.exe	32
PID 2688 wrote to memory of 2568	2688	cmd.exe	34
PID 2688 wrote to memory of 2568	2688	cmd.exe	34
PID 2688 wrote to memory of 2568	2688	cmd.exe	34
PID 2688 wrote to memory of 2568	2688	cmd.exe	34
PID 2568 wrote to memory of 1744	2568	SavesintoHost.exe	45
PID 2568 wrote to memory of 1744	2568	SavesintoHost.exe	45
PID 2568 wrote to memory of 1744	2568	SavesintoHost.exe	45
PID 1744 wrote to memory of 2952	1744	cmd.exe	47
PID 1744 wrote to memory of 2952	1744	cmd.exe	47
PID 1744 wrote to memory of 2952	1744	cmd.exe	47
PID 1744 wrote to memory of 2392	1744	cmd.exe	48
PID 1744 wrote to memory of 2392	1744	cmd.exe	48
PID 1744 wrote to memory of 2392	1744	cmd.exe	48
PID 2392 wrote to memory of 2168	2392	spoolsv.exe	49
PID 2392 wrote to memory of 2168	2392	spoolsv.exe	49
PID 2392 wrote to memory of 2168	2392	spoolsv.exe	49
PID 2392 wrote to memory of 1860	2392	spoolsv.exe	50
PID 2392 wrote to memory of 1860	2392	spoolsv.exe	50
PID 2392 wrote to memory of 1860	2392	spoolsv.exe	50
PID 2168 wrote to memory of 1888	2168	WScript.exe	51
PID 2168 wrote to memory of 1888	2168	WScript.exe	51
PID 2168 wrote to memory of 1888	2168	WScript.exe	51
PID 1888 wrote to memory of 1676	1888	spoolsv.exe	53
PID 1888 wrote to memory of 1676	1888	spoolsv.exe	53
PID 1888 wrote to memory of 1676	1888	spoolsv.exe	53
PID 1888 wrote to memory of 2548	1888	spoolsv.exe	54
PID 1888 wrote to memory of 2548	1888	spoolsv.exe	54
PID 1888 wrote to memory of 2548	1888	spoolsv.exe	54
PID 1676 wrote to memory of 2680	1676	WScript.exe	55
PID 1676 wrote to memory of 2680	1676	WScript.exe	55
PID 1676 wrote to memory of 2680	1676	WScript.exe	55
PID 2680 wrote to memory of 984	2680	spoolsv.exe	56
PID 2680 wrote to memory of 984	2680	spoolsv.exe	56
PID 2680 wrote to memory of 984	2680	spoolsv.exe	56
PID 2680 wrote to memory of 2148	2680	spoolsv.exe	57
PID 2680 wrote to memory of 2148	2680	spoolsv.exe	57
PID 2680 wrote to memory of 2148	2680	spoolsv.exe	57
PID 984 wrote to memory of 1148	984	WScript.exe	58
PID 984 wrote to memory of 1148	984	WScript.exe	58
PID 984 wrote to memory of 1148	984	WScript.exe	58
PID 1148 wrote to memory of 1908	1148	spoolsv.exe	59
PID 1148 wrote to memory of 1908	1148	spoolsv.exe	59
PID 1148 wrote to memory of 1908	1148	spoolsv.exe	59
PID 1148 wrote to memory of 1216	1148	spoolsv.exe	60
PID 1148 wrote to memory of 1216	1148	spoolsv.exe	60
PID 1148 wrote to memory of 1216	1148	spoolsv.exe	60
PID 1908 wrote to memory of 1932	1908	WScript.exe	61
PID 1908 wrote to memory of 1932	1908	WScript.exe	61
PID 1908 wrote to memory of 1932	1908	WScript.exe	61
PID 1932 wrote to memory of 2392	1932	spoolsv.exe	62
PID 1932 wrote to memory of 2392	1932	spoolsv.exe	62
PID 1932 wrote to memory of 2392	1932	spoolsv.exe	62

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SavesintoHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SavesintoHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SavesintoHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0bc68db77e687fa52b2f367994c5bc6f.exe
"C:\Users\Admin\AppData\Local\Temp\0bc68db77e687fa52b2f367994c5bc6f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\comSurrogatecontainercomponentRef\4Vp3r4P.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\comSurrogatecontainercomponentRef\QZY1IZ9a6YLs5.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\comSurrogatecontainercomponentRef\SavesintoHost.exe
      "C:\comSurrogatecontainercomponentRef\SavesintoHost.exe"
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2568
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K1II6j107F.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2952
      - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5024608b-608c-4a2a-aaa9-0e290351727c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e04f39f-e669-4250-a7db-a9e4ae7b73f4.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01a45f04-d5b2-4891-9dcc-9b3c7c71571b.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70dc5923-0b8f-4008-b310-4ad5837f0cda.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc39b48e-f046-4445-af24-b94b9598a8d2.vbs"
        15⤵
        
        PID:2392
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10131ede-8ae6-4bd7-b4f3-1098ad0645a2.vbs"
        17⤵
        
        PID:1632
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b10d4371-f744-45fe-8b46-e7c8683e9561.vbs"
        19⤵
        
        PID:2696
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\269724b3-ecc5-44b3-817e-92b3ef750631.vbs"
        21⤵
        
        PID:2688
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfaefb0b-f0a5-4cec-af46-85bd7dd00b72.vbs"
        23⤵
        
        PID:1592
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\977995ce-7e56-440d-a1c8-9ea7b67a9938.vbs"
        25⤵
        
        PID:2540
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe"
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a254ee69-e0a8-4789-8723-a28a994439d9.vbs"
        27⤵
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de1d4382-cf0b-4147-8923-8fa2deec66dc.vbs"
        27⤵
        
        PID:2664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bcd9a1e-342a-471b-9a24-ba1798c6cb32.vbs"
        25⤵
        
        PID:480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2005f4f3-bc7c-46b1-b889-ec6769e98ad6.vbs"
        23⤵
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5eee0d51-d559-4332-a7af-6dd3bde8cbe5.vbs"
        21⤵
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d03850e7-61fa-457f-9d7a-4fe87cbcb5ea.vbs"
        19⤵
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4aba5201-7859-4958-90db-e1ac3505cf0a.vbs"
        17⤵
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95641476-e39b-4365-809c-f084d0ec181a.vbs"
        15⤵
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8a2ed07-6a62-496f-8a53-3156930aae03.vbs"
        13⤵
        
        PID:1216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99686aae-c0b2-4f0c-8caf-1b1a5a591716.vbs"
        11⤵
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78c7d36c-5f74-461a-8dfa-1d5db8a4f081.vbs"
        9⤵
        
        PID:2548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74fadeef-bde7-4e27-870f-b348c4dcf9f7.vbs"
        7⤵
        
        PID:1860
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\comSurrogatecontainercomponentRef\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\system\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\system\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\system\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\01a45f04-d5b2-4891-9dcc-9b3c7c71571b.vbs

Filesize
750B

MD5
d1f8f9152ad6ee1dc2c835dd990be492

SHA1
7eb5a524d666776b7877920a9c4b19fad00724f4

SHA256
3cc32b25954aafd46a1a9da6d71072dc9e5f87b305a800949ff4580893b8b51f

SHA512
57f802f1f9be505bc50b16d5d25a11004b44e6042192ce34fafb4218dfe3792b4289830e2ef510f3b89f36c727d5ea90b7cf8e4021351bc79657242ab340cd36

Download Submit
C:\Users\Admin\AppData\Local\Temp\10131ede-8ae6-4bd7-b4f3-1098ad0645a2.vbs

Filesize
749B

MD5
58c2b5b62ed452fa04ab48c346318ee9

SHA1
615074331f47dece9d9e09c754ca5f0837ea1d87

SHA256
7fd51b2a829428390ba362a6b74de050666a991d0e2738dae02622c14b35c6cb

SHA512
0bffd654ec032f6b91c80011de4fecaedb0c9b253e13f7fce73cc76a1f36a337693f652b5a0b56f6482314e19dc8c09925eab7c74e2ea2768b86a8197c79f321

Download Submit
C:\Users\Admin\AppData\Local\Temp\269724b3-ecc5-44b3-817e-92b3ef750631.vbs

Filesize
750B

MD5
c5fe5f081d0bdc34c6650ce8c57e1385

SHA1
4846aeeadb26273b18d1d800c1f003e47ad8f919

SHA256
27ee4745af62398666f773b47b33e75c7af27f6e1546c164421e76eef111563f

SHA512
a838bf1b655aa7f3ef4a2ffb97112185fd1a4a1faec98749edf7738729505f0bb83903a83415de1787e3c8a76f1ef065e829461055deb29e52816d74386e4b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5024608b-608c-4a2a-aaa9-0e290351727c.vbs

Filesize
750B

MD5
0592fab700225bb85a23d22a18f37f19

SHA1
8cdc95329034bdd2a76130fb6fa62bf1473d5d7e

SHA256
4bafbacfd791123517225fec535a2bcde93926f85e3019f62700125e2763da80

SHA512
c3b2cb7e70b96eb1227cb5e0924ad5f0731714c46b79ceb6530bd6ae00cef4d9b063e7f640a41c8031f7c04a00f7281dd0de24c4c72ef65f2ca18e0eae9db47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\70dc5923-0b8f-4008-b310-4ad5837f0cda.vbs

Filesize
750B

MD5
7903e339eed580975c3a6c70593453f8

SHA1
5eec21b998ad8e41308c358e430799f8596122b2

SHA256
7d5806866436ee64954bd39ece35fa9a3d4935d7a8c6ef206118a9dd9b3bebc6

SHA512
25bfac535ed74c927807891cc0659630988d5923f1da93f38aa805b83cfb24741d677e8ed5a2377771ea29d8ced41fe04233d854c8f8443f1c3037f74835e35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\74fadeef-bde7-4e27-870f-b348c4dcf9f7.vbs

Filesize
526B

MD5
4d08dac5afe2a1be42fb9b06df984762

SHA1
1bf6162abf5b859d67e7e5b3e7369c68365388c8

SHA256
b08e4105d2bc1154f8adfc5b7069f7d8634987a9ac88f353f01f56743a1f013f

SHA512
dc42d72844dd816ab34f63d102a6b67a311f064ab0921d7e39af0f3d2d6496fb446709255b0041cb7774541e68beffc97c9e75e4aa118ad8251492d5b3fdfae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\977995ce-7e56-440d-a1c8-9ea7b67a9938.vbs

Filesize
750B

MD5
b331d3d7d5734aa9af4ec5cbcebf84ca

SHA1
bd02e7aed15ff82a296eac358e10e9554f80f196

SHA256
f757d84793e7f9ec9888a6eb8be272a0c80f8f3f3ffea5dcb21d755a8cf42af3

SHA512
400f06009eed1e40637404cc75e865ec324f0bed43e0933c1f50a01c0e53c476fa8e09334782fb907eb75d5f0df8526f560eba8c9b4380b0dd1f1b6e6aa436ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e04f39f-e669-4250-a7db-a9e4ae7b73f4.vbs

Filesize
750B

MD5
6698f8b43af8b44bc408504444c37614

SHA1
b76ef58712f5123cb32ce5b659d761ee4c8de231

SHA256
7edbc5a4acd56a453d1dd3371fe2ba41970546a5c76cb4b0293cfa62354f4360

SHA512
b126ab00553d1d470ccadc1605911caa6b056d2087ea9b6fae66a194b04ac690f8ba9167e0de43469987310dec9f24336d8283411a73949902eaf8a1f94513c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K1II6j107F.bat

Filesize
239B

MD5
55ae4fc663db32184bdaa93a2e066bd6

SHA1
4176007ea0f2566c4a37a5eccda769e5394490c6

SHA256
9cffdffc7a1fa1a4650cc4cad389e0f1e81bcb71f6762cf72d186e1714322129

SHA512
ff0ade31099ad17bb3cc88f4452ed78ccaebd75a624772dac0cb521b349bf2d327aa24f8c9f2d27e87a44d1528e8ad5c2548f5df12fc70cc821a28e5fcfd4e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\a254ee69-e0a8-4789-8723-a28a994439d9.vbs

Filesize
750B

MD5
e29688f2ae5962a2a7a5a5edf029b642

SHA1
58de874b1a7b319dde5b233a8cde6f17a36216d9

SHA256
05f8268d5857cc8844a43898a20ff7810ab423f4ecb29521a677f59afc417e69

SHA512
8319ef5988e3f1deae45f7ff7ee25bff50e2048e53cec5696feb9bea8524664c424bbf23416b9ae9f9dc340afd3d8f6ac08a084931d7e7cfe6cbec4c277972d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b10d4371-f744-45fe-8b46-e7c8683e9561.vbs

Filesize
750B

MD5
0c3b1aa68a180e84c0519a7a9a77d2cb

SHA1
caf6e25ba50e0381f070f1e703302f0db4792a18

SHA256
5cefa1d4477daa6d96238f323da1ee5e5cfb4e068d0840aa7365df1246e56de7

SHA512
13787ba7735e1d5e1f431e233ed35d6bcc66c1d4dd65d20a0326f3b056310d8819b08eba455705f5960673dfe4b40714a6f6f6fbde987615f3981cb7ae8b7540

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfaefb0b-f0a5-4cec-af46-85bd7dd00b72.vbs

Filesize
750B

MD5
8752a4d3e0b94f099dc85013bca9c10c

SHA1
222dd79a6278871a85222f9b7713b523d636f00a

SHA256
4224d4085dc68971e46ec87920f5c9df54dfbb57147e4f00b15017033ca5132b

SHA512
be55076363ae53aac679dc9aacd2d802ceff3a048acd198ff5219aaae33688acdd9fc7253e999f4aac90fd75b92de9ef5a93509b8a26f6a893cb4103dd1e4b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc39b48e-f046-4445-af24-b94b9598a8d2.vbs

Filesize
750B

MD5
ec5a9c251d04bc5732f198a4a495b129

SHA1
cf25b1dc3c40b75a52e1d6f3b105eb9a8ec0015b

SHA256
f7f4bee5e309cfbbf8cbdbf774637b75c9943e35fead479382a760a930d189d6

SHA512
3b5d4f8de51697e341d8f48bf80c7c7502fb27d1adcd5983d6e16edf77d7972472b2767da3ec1c4c7f347e04be47e164f38e8efe5c62eb67c7a767ace6b3a558

Download Submit
C:\comSurrogatecontainercomponentRef\4Vp3r4P.vbe

Filesize
223B

MD5
5d646684debbc53c0c7ec5fa65f23216

SHA1
c161dec715fcc4156442fc30eaf6b3d0caddfb17

SHA256
cddd4a030f867acb39a0e7697732cbd57bb2e5e9f0d81fc1e7d752d57c1ee195

SHA512
e6518ff37848e7e92d9b820b3eecea2a0d0d85fd6804a8b4f4adf56154aa1a1d5433c3333d469bc8e2ffb9f4ebb4445f979467f970f9155774a670fe5446c19a

Download Submit
C:\comSurrogatecontainercomponentRef\QZY1IZ9a6YLs5.bat

Filesize
56B

MD5
cbba91293fed3dfb5a3a0cd0ec53b505

SHA1
6d66eaa19e366c386d006b8b782cda171c359c43

SHA256
062cff19b7be8c7d9c9941f75b9225982eb3799a766ee73659251f7d0c0b299d

SHA512
a97640da0d86256b3512d84c9a5120e41cb7ed47f3a61f8f4f6212804034a8e19a99fc35a3b91804734c93279b74b23737e31e224152d3e6a17e113fd4bca0f4

Download Submit
C:\comSurrogatecontainercomponentRef\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
\comSurrogatecontainercomponentRef\SavesintoHost.exe

Filesize
2.2MB

MD5
3aa1bbd17d68b0b67b7423f1fe09b05b

SHA1
61c43b8f31a51d772fd39d5caa87699d74971a43

SHA256
7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474

SHA512
7ae82411565104b15cc0de4cc8315d93301befbb28b1e36e3c50d46c8ba9fb1ff8eb361e12cd9d32771e2a5ecbee9b026aca0105473a9fe5a877fc2744b32014

Download Submit
memory/352-125-0x00000000012D0000-0x000000000150E000-memory.dmp

Filesize
2.2MB

Download
memory/1148-100-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/1148-99-0x00000000003E0000-0x000000000061E000-memory.dmp

Filesize
2.2MB

Download
memory/1888-75-0x0000000001270000-0x00000000014AE000-memory.dmp

Filesize
2.2MB

Download
memory/1932-112-0x0000000000F80000-0x00000000011BE000-memory.dmp

Filesize
2.2MB

Download
memory/1932-113-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2392-64-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2392-63-0x0000000000290000-0x00000000004CE000-memory.dmp

Filesize
2.2MB

Download
memory/2568-29-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/2568-32-0x00000000021A0000-0x00000000021A8000-memory.dmp

Filesize
32KB

Download
memory/2568-41-0x0000000002250000-0x000000000225C000-memory.dmp

Filesize
48KB

Download
memory/2568-42-0x0000000002260000-0x000000000226A000-memory.dmp

Filesize
40KB

Download
memory/2568-43-0x00000000023D0000-0x00000000023DE000-memory.dmp

Filesize
56KB

Download
memory/2568-44-0x000000001A9B0000-0x000000001A9B8000-memory.dmp

Filesize
32KB

Download
memory/2568-46-0x000000001ADA0000-0x000000001ADAC000-memory.dmp

Filesize
48KB

Download
memory/2568-45-0x000000001A9C0000-0x000000001A9C8000-memory.dmp

Filesize
32KB

Download
memory/2568-47-0x000000001ADB0000-0x000000001ADB8000-memory.dmp

Filesize
32KB

Download
memory/2568-48-0x000000001ADC0000-0x000000001ADCA000-memory.dmp

Filesize
40KB

Download
memory/2568-49-0x000000001ADD0000-0x000000001ADDC000-memory.dmp

Filesize
48KB

Download
memory/2568-39-0x0000000002230000-0x000000000223C000-memory.dmp

Filesize
48KB

Download
memory/2568-38-0x0000000002220000-0x000000000222C000-memory.dmp

Filesize
48KB

Download
memory/2568-37-0x0000000002210000-0x0000000002218000-memory.dmp

Filesize
32KB

Download
memory/2568-36-0x0000000002200000-0x000000000220C000-memory.dmp

Filesize
48KB

Download
memory/2568-35-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2568-34-0x00000000021C0000-0x00000000021C8000-memory.dmp

Filesize
32KB

Download
memory/2568-33-0x00000000021B0000-0x00000000021BC000-memory.dmp

Filesize
48KB

Download
memory/2568-18-0x00000000009D0000-0x0000000000C0E000-memory.dmp

Filesize
2.2MB

Download
memory/2568-40-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2568-31-0x00000000009C0000-0x00000000009CC000-memory.dmp

Filesize
48KB

Download
memory/2568-30-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/2568-28-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/2568-27-0x0000000000980000-0x000000000098C000-memory.dmp

Filesize
48KB

Download
memory/2568-26-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2568-25-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2568-24-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/2568-23-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/2568-22-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/2568-21-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/2568-20-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/2568-19-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/2680-87-0x00000000012E0000-0x000000000151E000-memory.dmp

Filesize
2.2MB

Download
memory/2780-171-0x00000000007A0000-0x00000000007B2000-memory.dmp

Filesize
72KB

Download
memory/2780-170-0x0000000000120000-0x000000000035E000-memory.dmp

Filesize
2.2MB

Download
memory/2828-183-0x0000000000390000-0x00000000005CE000-memory.dmp

Filesize
2.2MB

Download
memory/2828-184-0x0000000000920000-0x0000000000932000-memory.dmp

Filesize
72KB

Download