dcrat | 7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/12/2024, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Size

2.2MB
MD5

3aa1bbd17d68b0b67b7423f1fe09b05b
SHA1

61c43b8f31a51d772fd39d5caa87699d74971a43
SHA256

7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474
SHA512

7ae82411565104b15cc0de4cc8315d93301befbb28b1e36e3c50d46c8ba9fb1ff8eb361e12cd9d32771e2a5ecbee9b026aca0105473a9fe5a877fc2744b32014
SSDEEP

49152:mx4QdTmxnMJUh+pDY92IXc3Mx+HqXQJc2cv1TDlH:QdPpDYbNiIP2cvxZH

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 34 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2376	schtasks.exe
		2680	schtasks.exe
		2928	schtasks.exe
		2732	schtasks.exe
		2044	schtasks.exe
		2404	schtasks.exe
		448	schtasks.exe
		1544	schtasks.exe
		2648	schtasks.exe
		1236	schtasks.exe
		668	schtasks.exe
		2120	schtasks.exe
		588	schtasks.exe
		2260	schtasks.exe
		2424	schtasks.exe
		2664	schtasks.exe
		2340	schtasks.exe
		1940	schtasks.exe
		1644	schtasks.exe
		2348	schtasks.exe
		2228	schtasks.exe
		2808	schtasks.exe
		1148	schtasks.exe
		2136	schtasks.exe
		344	schtasks.exe
		556	schtasks.exe
		2940	schtasks.exe
		2992	schtasks.exe
		1840	schtasks.exe
		3064	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
		2960	schtasks.exe
		1508	schtasks.exe
		2364	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\services.exe\", \"C:\\Windows\\LiveKernelReports\\audiodg.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\services.exe\", \"C:\\Windows\\LiveKernelReports\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\smss.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\services.exe\", \"C:\\Windows\\LiveKernelReports\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Pictures\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\smss.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Start Menu\\csrss.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\Multiplayer\\Spades\\en-US\\smss.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\services.exe\", \"C:\\Windows\\LiveKernelReports\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Pictures\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\smss.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Start Menu\\csrss.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\winlogon.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\services.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\services.exe\", \"C:\\Windows\\LiveKernelReports\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\services.exe\", \"C:\\Windows\\LiveKernelReports\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\services.exe\", \"C:\\Windows\\LiveKernelReports\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Pictures\\explorer.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\services.exe\", \"C:\\Windows\\LiveKernelReports\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Pictures\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\smss.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\services.exe\", \"C:\\Windows\\LiveKernelReports\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Pictures\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\smss.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\WmiPrvSE.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\services.exe\", \"C:\\Windows\\LiveKernelReports\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Pictures\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\smss.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Start Menu\\csrss.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	3032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	3032	schtasks.exe	30

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2600-1-0x0000000000A60000-0x0000000000C9E000-memory.dmp	dcrat
behavioral1/files/0x000500000001a41b-42.dat	dcrat
behavioral1/memory/1724-62-0x0000000000230000-0x000000000046E000-memory.dmp	dcrat
behavioral1/memory/1796-74-0x0000000000BA0000-0x0000000000DDE000-memory.dmp	dcrat
behavioral1/memory/2924-87-0x0000000000F90000-0x00000000011CE000-memory.dmp	dcrat
behavioral1/memory/1628-99-0x0000000001000000-0x000000000123E000-memory.dmp	dcrat
behavioral1/memory/2396-111-0x0000000000280000-0x00000000004BE000-memory.dmp	dcrat
behavioral1/memory/1536-123-0x0000000000D50000-0x0000000000F8E000-memory.dmp	dcrat
behavioral1/memory/1508-147-0x0000000000850000-0x0000000000A8E000-memory.dmp	dcrat
behavioral1/memory/1392-159-0x0000000000910000-0x0000000000B4E000-memory.dmp	dcrat
behavioral1/memory/1444-171-0x0000000000EC0000-0x00000000010FE000-memory.dmp	dcrat
behavioral1/memory/1864-183-0x00000000013D0000-0x000000000160E000-memory.dmp	dcrat
behavioral1/memory/2316-195-0x0000000000270000-0x00000000004AE000-memory.dmp	dcrat

Executes dropped EXE 12 IoCs

pid	Process
1724	smss.exe
1796	smss.exe
2924	smss.exe
1628	smss.exe
2396	smss.exe
1536	smss.exe
1664	smss.exe
1508	smss.exe
1392	smss.exe
1444	smss.exe
1864	smss.exe
2316	smss.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Public\\Pictures\\explorer.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Public\\Pictures\\explorer.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\smss.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Internet Explorer\\ja-JP\\smss.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\smss.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\WmiPrvSE.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Microsoft Games\\Multiplayer\\Spades\\en-US\\smss.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Internet Explorer\\ja-JP\\smss.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\WmiPrvSE.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Start Menu\\csrss.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\winlogon.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Microsoft Games\\Multiplayer\\Spades\\en-US\\smss.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\services.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\LiveKernelReports\\audiodg.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\LiveKernelReports\\audiodg.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\services.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Start Menu\\csrss.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\winlogon.exe\""	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\smss.exe	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\69ddcba757bf72	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
File created	C:\Program Files\Internet Explorer\ja-JP\smss.exe	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
File created	C:\Program Files\Internet Explorer\ja-JP\69ddcba757bf72	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\winlogon.exe	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\cc11b995f2a76d	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\audiodg.exe	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
File created	C:\Windows\LiveKernelReports\42af1c969fbb7b	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\WmiPrvSE.exe	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\24dbde2999530e	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
556	schtasks.exe
2960	schtasks.exe
2940	schtasks.exe
2424	schtasks.exe
2228	schtasks.exe
1544	schtasks.exe
1940	schtasks.exe
2928	schtasks.exe
2340	schtasks.exe
668	schtasks.exe
1236	schtasks.exe
2732	schtasks.exe
3064	schtasks.exe
2808	schtasks.exe
2648	schtasks.exe
1644	schtasks.exe
1148	schtasks.exe
2348	schtasks.exe
448	schtasks.exe
344	schtasks.exe
2376	schtasks.exe
2260	schtasks.exe
1840	schtasks.exe
2404	schtasks.exe
2664	schtasks.exe
2680	schtasks.exe
588	schtasks.exe
2044	schtasks.exe
2120	schtasks.exe
1508	schtasks.exe
2992	schtasks.exe
2364	schtasks.exe
2136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2600	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
2600	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
2600	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
2600	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
2600	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
2600	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
2600	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1796	smss.exe
1796	smss.exe
1796	smss.exe
1796	smss.exe
1796	smss.exe
1796	smss.exe
1796	smss.exe
1796	smss.exe
1796	smss.exe
1796	smss.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Token: SeDebugPrivilege	1724	smss.exe
Token: SeDebugPrivilege	1796	smss.exe
Token: SeDebugPrivilege	2924	smss.exe
Token: SeDebugPrivilege	1628	smss.exe
Token: SeDebugPrivilege	2396	smss.exe
Token: SeDebugPrivilege	1536	smss.exe
Token: SeDebugPrivilege	1664	smss.exe
Token: SeDebugPrivilege	1508	smss.exe
Token: SeDebugPrivilege	1392	smss.exe
Token: SeDebugPrivilege	1444	smss.exe
Token: SeDebugPrivilege	1864	smss.exe
Token: SeDebugPrivilege	2316	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 1724	2600	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe	64
PID 2600 wrote to memory of 1724	2600	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe	64
PID 2600 wrote to memory of 1724	2600	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe	64
PID 1724 wrote to memory of 2564	1724	smss.exe	65
PID 1724 wrote to memory of 2564	1724	smss.exe	65
PID 1724 wrote to memory of 2564	1724	smss.exe	65
PID 1724 wrote to memory of 2488	1724	smss.exe	66
PID 1724 wrote to memory of 2488	1724	smss.exe	66
PID 1724 wrote to memory of 2488	1724	smss.exe	66
PID 2564 wrote to memory of 1796	2564	WScript.exe	68
PID 2564 wrote to memory of 1796	2564	WScript.exe	68
PID 2564 wrote to memory of 1796	2564	WScript.exe	68
PID 1796 wrote to memory of 2816	1796	smss.exe	69
PID 1796 wrote to memory of 2816	1796	smss.exe	69
PID 1796 wrote to memory of 2816	1796	smss.exe	69
PID 1796 wrote to memory of 1340	1796	smss.exe	70
PID 1796 wrote to memory of 1340	1796	smss.exe	70
PID 1796 wrote to memory of 1340	1796	smss.exe	70
PID 2816 wrote to memory of 2924	2816	WScript.exe	71
PID 2816 wrote to memory of 2924	2816	WScript.exe	71
PID 2816 wrote to memory of 2924	2816	WScript.exe	71
PID 2924 wrote to memory of 2540	2924	smss.exe	72
PID 2924 wrote to memory of 2540	2924	smss.exe	72
PID 2924 wrote to memory of 2540	2924	smss.exe	72
PID 2924 wrote to memory of 2040	2924	smss.exe	73
PID 2924 wrote to memory of 2040	2924	smss.exe	73
PID 2924 wrote to memory of 2040	2924	smss.exe	73
PID 2540 wrote to memory of 1628	2540	WScript.exe	74
PID 2540 wrote to memory of 1628	2540	WScript.exe	74
PID 2540 wrote to memory of 1628	2540	WScript.exe	74
PID 1628 wrote to memory of 1752	1628	smss.exe	75
PID 1628 wrote to memory of 1752	1628	smss.exe	75
PID 1628 wrote to memory of 1752	1628	smss.exe	75
PID 1628 wrote to memory of 344	1628	smss.exe	76
PID 1628 wrote to memory of 344	1628	smss.exe	76
PID 1628 wrote to memory of 344	1628	smss.exe	76
PID 1752 wrote to memory of 2396	1752	WScript.exe	77
PID 1752 wrote to memory of 2396	1752	WScript.exe	77
PID 1752 wrote to memory of 2396	1752	WScript.exe	77
PID 2396 wrote to memory of 2272	2396	smss.exe	78
PID 2396 wrote to memory of 2272	2396	smss.exe	78
PID 2396 wrote to memory of 2272	2396	smss.exe	78
PID 2396 wrote to memory of 2696	2396	smss.exe	79
PID 2396 wrote to memory of 2696	2396	smss.exe	79
PID 2396 wrote to memory of 2696	2396	smss.exe	79
PID 2272 wrote to memory of 1536	2272	WScript.exe	80
PID 2272 wrote to memory of 1536	2272	WScript.exe	80
PID 2272 wrote to memory of 1536	2272	WScript.exe	80
PID 1536 wrote to memory of 976	1536	smss.exe	81
PID 1536 wrote to memory of 976	1536	smss.exe	81
PID 1536 wrote to memory of 976	1536	smss.exe	81
PID 1536 wrote to memory of 2856	1536	smss.exe	82
PID 1536 wrote to memory of 2856	1536	smss.exe	82
PID 1536 wrote to memory of 2856	1536	smss.exe	82
PID 976 wrote to memory of 1664	976	WScript.exe	83
PID 976 wrote to memory of 1664	976	WScript.exe	83
PID 976 wrote to memory of 1664	976	WScript.exe	83
PID 1664 wrote to memory of 2276	1664	smss.exe	84
PID 1664 wrote to memory of 2276	1664	smss.exe	84
PID 1664 wrote to memory of 2276	1664	smss.exe	84
PID 1664 wrote to memory of 1312	1664	smss.exe	85
PID 1664 wrote to memory of 1312	1664	smss.exe	85
PID 1664 wrote to memory of 1312	1664	smss.exe	85
PID 2276 wrote to memory of 1508	2276	WScript.exe	86

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe
"C:\Users\Admin\AppData\Local\Temp\7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2600
- C:\Program Files\Internet Explorer\ja-JP\smss.exe
  "C:\Program Files\Internet Explorer\ja-JP\smss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1724
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f86f5bf-720c-4847-9777-4e7bc86ceb39.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Program Files\Internet Explorer\ja-JP\smss.exe
      "C:\Program Files\Internet Explorer\ja-JP\smss.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1796
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b2ed587-f656-48ad-ba09-08f4961c676f.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Program Files\Internet Explorer\ja-JP\smss.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\smss.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c7ce2f1-f85a-47ea-bb9f-5b00174e7f80.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Program Files\Internet Explorer\ja-JP\smss.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\smss.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09b654cf-6c0a-4d88-affd-d6d4f5d00eb2.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Program Files\Internet Explorer\ja-JP\smss.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\smss.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cff741ce-19c5-4731-bf1f-96af13771fe9.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Program Files\Internet Explorer\ja-JP\smss.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\smss.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe1b9c88-e32d-4620-8b42-37e53b92f929.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Program Files\Internet Explorer\ja-JP\smss.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\smss.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a407c47b-5955-4999-aa88-fe5a51eb83c7.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Program Files\Internet Explorer\ja-JP\smss.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\smss.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca190fde-537b-4fdd-ad09-c10b32efed48.vbs"
        17⤵
        
        PID:1800
        
        C:\Program Files\Internet Explorer\ja-JP\smss.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\smss.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57583a00-ccbd-4995-9d47-64f40fbc5d95.vbs"
        19⤵
        
        PID:2124
        
        C:\Program Files\Internet Explorer\ja-JP\smss.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\smss.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\822fbc16-8150-4c60-b51b-109ac73d95dd.vbs"
        21⤵
        
        PID:2332
        
        C:\Program Files\Internet Explorer\ja-JP\smss.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\smss.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcf6488c-9e48-458f-bed4-6ceefce1d5e2.vbs"
        23⤵
        
        PID:696
        
        C:\Program Files\Internet Explorer\ja-JP\smss.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\smss.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\775f5224-91a6-4ec1-b2ab-ed7f0044703f.vbs"
        23⤵
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33161da3-d544-4581-afc6-a3fac50a48bb.vbs"
        21⤵
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8d62dde-d258-4ad5-96da-e8cbb2c85dad.vbs"
        19⤵
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c24082d-4d19-48e1-b279-a85ac988875d.vbs"
        17⤵
        
        PID:572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d5704c0-11cb-4a31-925e-a57913e49d5d.vbs"
        15⤵
        
        PID:1312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20f47112-1403-40d2-ac79-996c9e2af446.vbs"
        13⤵
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff069873-88ef-4bb7-8709-36f1a4ef0260.vbs"
        11⤵
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbfb41d3-fd42-4624-86b6-6b956eec4f78.vbs"
        9⤵
        
        PID:344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b48296df-8461-41a2-b6c9-819cb3615491.vbs"
        7⤵
        
        PID:2040
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e691e22-c66b-4b1c-970a-dab7d3ef7961.vbs"
        5⤵
        
        PID:1340
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efe5e628-470a-4451-b757-387aad8d43ef.vbs"
    3⤵
    PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\ja-JP\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe

Filesize
2.2MB

MD5
3aa1bbd17d68b0b67b7423f1fe09b05b

SHA1
61c43b8f31a51d772fd39d5caa87699d74971a43

SHA256
7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474

SHA512
7ae82411565104b15cc0de4cc8315d93301befbb28b1e36e3c50d46c8ba9fb1ff8eb361e12cd9d32771e2a5ecbee9b026aca0105473a9fe5a877fc2744b32014

Download Submit
C:\Users\Admin\AppData\Local\Temp\09b654cf-6c0a-4d88-affd-d6d4f5d00eb2.vbs

Filesize
725B

MD5
806f1206b53ce10a175bc6157f19275b

SHA1
8a3cbf508db61a0bdfeee72996f64cf5bfb628e0

SHA256
2aaa8c35e622d3ca421c965a247f62967ffa6204edef760e616f3f29acd2f5d8

SHA512
c074ed6a03ac43676e8764cbc474d4f43c667231b8ee0cc2d4cc15c529db46eef6ab5e0e1056370f6999d443f4f5861f8ca9af39edbe96ff7e7171dd6f6978a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f86f5bf-720c-4847-9777-4e7bc86ceb39.vbs

Filesize
725B

MD5
28b66ae9429e0e9e0d49d16903ba7099

SHA1
e37f3f835be3fa354c1dc95bbba2d9a8a732ece0

SHA256
f813383e98af302231c748928a854379fb440cc93191a4eb404e11217cea1bf4

SHA512
26a0232f079535dd97d642f30f9284e2882f70c7f860b9252e29bab3ac64224753abae7adeae29d4ab2bf0023c92203f9fd881133545bb84faab4be15a3151a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\57583a00-ccbd-4995-9d47-64f40fbc5d95.vbs

Filesize
725B

MD5
b8a9f52e8b5b838bbd42fb48b9d629c9

SHA1
4c4306f313e932f5364111393feee2832f6e75ba

SHA256
f4e2c529d11ae597b342534dd40e09c6f314de0dcb98afb7c22ae2efc5db4c28

SHA512
f8acf057ab5055bc604db56aa68d749e4edad81f5228e574f4276392c4ce92f25e35fadd87a2137c13697a44e6bccd8582e377bb40b97238c321809b69a0bda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b2ed587-f656-48ad-ba09-08f4961c676f.vbs

Filesize
725B

MD5
ca92d0a23951691b689d53a74b261321

SHA1
d074543bdd42488741459660ed7c076de4b2d1dd

SHA256
28c138713a066d15a4116bebb68433fa5038b569a77ddc31029d44a0c45c88e7

SHA512
4dd3d8d0468da45611f7aeceb4c9e34e7ec33ebb17017a9d48dda8ad43b0b668edb5350abab78ab0b8df433829628ee22a4c11c370f3b7f02af67cf2a4446b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c7ce2f1-f85a-47ea-bb9f-5b00174e7f80.vbs

Filesize
725B

MD5
3661ba423901aef273492bc6e4c92ed0

SHA1
10d9b49fab541e09d11efdd5cc706bb533ec363d

SHA256
d3cc00bcd322795bc12741b56da1d45b4c09aa55fee2ccfd48cef5b8db4df2ef

SHA512
eccd340b6feeabd87a13e28cf86213906472171cf336194e54ebef04bbd55b15788a191d9485e707a9c601b62081b43f18d6a611ddb7e2dcba6795ccc815ebfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\822fbc16-8150-4c60-b51b-109ac73d95dd.vbs

Filesize
725B

MD5
700219e77fe72b665526098d8966655a

SHA1
082bf1f88e9448349267040d137237860ca8ff5a

SHA256
cb24295eef43675952b46281733e8de9266659064907a5b7c6d6907a6d3f7265

SHA512
4c248e82ee317a6132101c292661134186de749531166507225811be02fd49589d39a81eaff5e858478af8986c7d336d1898699ecaa1804b2f2010c19cffa5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a407c47b-5955-4999-aa88-fe5a51eb83c7.vbs

Filesize
725B

MD5
e375c2cc4de88593f34eb597878f3a77

SHA1
a68fb26d91c53e0c2eb4607c379652bd7c003d7f

SHA256
07c7f71e117ad997a9c499943cb68256c58b2c276fab9d39d79c1e0108173224

SHA512
7964323761451621c2c5679dbf55db9ccd4e1e319fc78fd8543a52813283e83885a90a3070efdd8e7fa0c4079ca784e2b9921aa02d09f9c162e4ad9355c96bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca190fde-537b-4fdd-ad09-c10b32efed48.vbs

Filesize
725B

MD5
4b6a8a5b5f1e589caf9746151c8c67ae

SHA1
bb0169c11f9d793b26a541791c9773fb5f19ceb3

SHA256
8c3307976e0a08da2c729f17db42d1d5f81c7d3f588ea913b3acd0f442c813bd

SHA512
5ad985f459fe9e11dd7e41cffa9a06d7ab33ecfb25eb0435b7086404e09b9543123b485baa88c5707f0badbef488fc13ef6fefe08eb82971e4b2158bdde36538

Download Submit
C:\Users\Admin\AppData\Local\Temp\cff741ce-19c5-4731-bf1f-96af13771fe9.vbs

Filesize
725B

MD5
a10aebba112a5fd39c8c9b86d7941151

SHA1
e24bf63f1ae57189152783c63c103584fabdc3f2

SHA256
261ad66eea8bf6fef5342df6cd6f426ad04c4ebbc6d5da484f9ec0aae7351615

SHA512
bd8ec7f9a746576fe8f17d3704cc04d17c4417ae72b84a12ccbba3e7da3c51dafcb254fbf3f66cac70edb1b3209879077bfffdeedacbd43c81df301750697f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\efe5e628-470a-4451-b757-387aad8d43ef.vbs

Filesize
501B

MD5
2fbf4c9853f5653cb602e2b459037d03

SHA1
183a19a41c660a7034c585c8bf1d30b8555c0e82

SHA256
e598206921f9c50cd4d1adccfe6bc59683c2b67e535b9ae82ae11e9f7ddd8de8

SHA512
7b9024f2105107dab57f5a96c5bac81f11af44bcd245054da17abefdbfadfe607c0031e3376bbc60232500915f285fe87277ed79737ba46981c17aded0a4d4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcf6488c-9e48-458f-bed4-6ceefce1d5e2.vbs

Filesize
725B

MD5
00b6e00d3d1f5e79eb0e16e44f7c4984

SHA1
013ebc05ca691f05558105e5d6ec7802f5d31c3d

SHA256
996698332a34ca5d65228c0ef95ee3880deae5625460c79154c001c5712ad07f

SHA512
fc281c2eaedff5fa63f0bedecd30da23eb545077e4a804578913fe52ec5350f7f66e263ae2db142eb87b2eb844b75457c99dc9d0d26f0719ab6cce25ab338787

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe1b9c88-e32d-4620-8b42-37e53b92f929.vbs

Filesize
725B

MD5
c7c0d6ce8fc1e2707d643a0094b1c779

SHA1
39212bc793f32ed2ec82937ab3ee75ea9e0e7610

SHA256
3612150880ba585d3639e9830fa2895925b78c41319ccb111edd142a1260adf3

SHA512
9ea0793c8c0847e51498613f13a28620b820efe92650ffeb37e26e287862eb287fa37a7953f3d4e76d0e19b053c7f439fffee9d044f660e5ea3b91905f6b822d

Download Submit
memory/1392-159-0x0000000000910000-0x0000000000B4E000-memory.dmp

Filesize
2.2MB

Download
memory/1444-171-0x0000000000EC0000-0x00000000010FE000-memory.dmp

Filesize
2.2MB

Download
memory/1508-147-0x0000000000850000-0x0000000000A8E000-memory.dmp

Filesize
2.2MB

Download
memory/1536-123-0x0000000000D50000-0x0000000000F8E000-memory.dmp

Filesize
2.2MB

Download
memory/1536-124-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/1628-99-0x0000000001000000-0x000000000123E000-memory.dmp

Filesize
2.2MB

Download
memory/1724-62-0x0000000000230000-0x000000000046E000-memory.dmp

Filesize
2.2MB

Download
memory/1796-75-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/1796-74-0x0000000000BA0000-0x0000000000DDE000-memory.dmp

Filesize
2.2MB

Download
memory/1864-183-0x00000000013D0000-0x000000000160E000-memory.dmp

Filesize
2.2MB

Download
memory/2316-195-0x0000000000270000-0x00000000004AE000-memory.dmp

Filesize
2.2MB

Download
memory/2396-111-0x0000000000280000-0x00000000004BE000-memory.dmp

Filesize
2.2MB

Download
memory/2600-15-0x0000000002270000-0x000000000227C000-memory.dmp

Filesize
48KB

Download
memory/2600-11-0x0000000002220000-0x000000000222C000-memory.dmp

Filesize
48KB

Download
memory/2600-27-0x000000001A9A0000-0x000000001A9AE000-memory.dmp

Filesize
56KB

Download
memory/2600-29-0x000000001AD90000-0x000000001AD98000-memory.dmp

Filesize
32KB

Download
memory/2600-30-0x000000001AEA0000-0x000000001AEAC000-memory.dmp

Filesize
48KB

Download
memory/2600-28-0x000000001AD80000-0x000000001AD88000-memory.dmp

Filesize
32KB

Download
memory/2600-31-0x000000001AEB0000-0x000000001AEB8000-memory.dmp

Filesize
32KB

Download
memory/2600-32-0x000000001AEC0000-0x000000001AECA000-memory.dmp

Filesize
40KB

Download
memory/2600-33-0x000000001AED0000-0x000000001AEDC000-memory.dmp

Filesize
48KB

Download
memory/2600-25-0x00000000024B0000-0x00000000024BC000-memory.dmp

Filesize
48KB

Download
memory/2600-24-0x00000000024C0000-0x00000000024C8000-memory.dmp

Filesize
32KB

Download
memory/2600-63-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2600-23-0x00000000024A0000-0x00000000024AC000-memory.dmp

Filesize
48KB

Download
memory/2600-22-0x0000000002490000-0x000000000249C000-memory.dmp

Filesize
48KB

Download
memory/2600-21-0x0000000002480000-0x0000000002488000-memory.dmp

Filesize
32KB

Download
memory/2600-20-0x0000000002470000-0x000000000247C000-memory.dmp

Filesize
48KB

Download
memory/2600-19-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/2600-1-0x0000000000A60000-0x0000000000C9E000-memory.dmp

Filesize
2.2MB

Download
memory/2600-18-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2600-17-0x0000000002290000-0x000000000229C000-memory.dmp

Filesize
48KB

Download
memory/2600-16-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/2600-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

Filesize
4KB

Download
memory/2600-14-0x0000000002260000-0x000000000226A000-memory.dmp

Filesize
40KB

Download
memory/2600-12-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/2600-13-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/2600-26-0x000000001A950000-0x000000001A95A000-memory.dmp

Filesize
40KB

Download
memory/2600-8-0x0000000002200000-0x0000000002216000-memory.dmp

Filesize
88KB

Download
memory/2600-10-0x0000000002240000-0x0000000002252000-memory.dmp

Filesize
72KB

Download
memory/2600-9-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/2600-7-0x0000000000A40000-0x0000000000A50000-memory.dmp

Filesize
64KB

Download
memory/2600-6-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2600-4-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2600-5-0x0000000000A20000-0x0000000000A3C000-memory.dmp

Filesize
112KB

Download
memory/2600-3-0x00000000002D0000-0x00000000002DE000-memory.dmp

Filesize
56KB

Download
memory/2600-2-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-87-0x0000000000F90000-0x00000000011CE000-memory.dmp

Filesize
2.2MB

Download