dcrat | fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
Size

4.9MB
MD5

ebc81db3d71154bc617356d897e0d450
SHA1

d8a2a478437abd6f69685903700b1e9e5a30c6ce
SHA256

fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25
SHA512

33dd0b853085ff2256384c34b44652b9815a34920eea200a3859ac7f626e9795036bdcac6b2de8cf4c03d433431ea5121676f84312a7a90f34fdeb6a8c54ea72
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2724	schtasks.exe	28

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1596-2-0x000000001B210000-0x000000001B33E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1496	powershell.exe
1708	powershell.exe
1604	powershell.exe
2128	powershell.exe
2916	powershell.exe
2296	powershell.exe
1420	powershell.exe
2220	powershell.exe
2420	powershell.exe
2912	powershell.exe
2060	powershell.exe
1120	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
1008	System.exe
2396	System.exe
2280	System.exe
2004	System.exe
2952	System.exe
884	System.exe
2980	System.exe
1456	System.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Journal\es-ES\winlogon.exe	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
File created	C:\Program Files\7-Zip\Lang\Idle.exe	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
File created	C:\Program Files\7-Zip\Lang\6ccacd8608530f	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
File created	C:\Program Files\Windows Journal\es-ES\winlogon.exe	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
File created	C:\Program Files\Windows Journal\es-ES\cc11b995f2a76d	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX58DC.tmp	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\Idle.exe	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\RCX61D6.tmp	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\PLA\System\System.exe	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
File opened for modification	C:\Windows\PLA\System\System.exe	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
File created	C:\Windows\PLA\System\27d1bcfc3c54e0	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
File created	C:\Windows\security\database\smss.exe	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
File created	C:\Windows\security\database\69ddcba757bf72	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
File opened for modification	C:\Windows\PLA\System\RCX56D8.tmp	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
File opened for modification	C:\Windows\security\database\RCX5FD2.tmp	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
File opened for modification	C:\Windows\security\database\smss.exe	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe
1616	schtasks.exe
2036	schtasks.exe
2988	schtasks.exe
604	schtasks.exe
2964	schtasks.exe
1964	schtasks.exe
2460	schtasks.exe
2772	schtasks.exe
2596	schtasks.exe
848	schtasks.exe
572	schtasks.exe
1728	schtasks.exe
1948	schtasks.exe
2548	schtasks.exe
2524	schtasks.exe
1844	schtasks.exe
2780	schtasks.exe
1860	schtasks.exe
2976	schtasks.exe
880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
2916	powershell.exe
1604	powershell.exe
2220	powershell.exe
1708	powershell.exe
2420	powershell.exe
1420	powershell.exe
2128	powershell.exe
2060	powershell.exe
1496	powershell.exe
2296	powershell.exe
2912	powershell.exe
1120	powershell.exe
1008	System.exe
2396	System.exe
2280	System.exe
2004	System.exe
2952	System.exe
884	System.exe
2980	System.exe
1456	System.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	1008	System.exe
Token: SeDebugPrivilege	2396	System.exe
Token: SeDebugPrivilege	2280	System.exe
Token: SeDebugPrivilege	2004	System.exe
Token: SeDebugPrivilege	2952	System.exe
Token: SeDebugPrivilege	884	System.exe
Token: SeDebugPrivilege	2980	System.exe
Token: SeDebugPrivilege	1456	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2916	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	50
PID 1596 wrote to memory of 2916	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	50
PID 1596 wrote to memory of 2916	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	50
PID 1596 wrote to memory of 2912	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	51
PID 1596 wrote to memory of 2912	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	51
PID 1596 wrote to memory of 2912	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	51
PID 1596 wrote to memory of 2128	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	53
PID 1596 wrote to memory of 2128	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	53
PID 1596 wrote to memory of 2128	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	53
PID 1596 wrote to memory of 1604	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	54
PID 1596 wrote to memory of 1604	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	54
PID 1596 wrote to memory of 1604	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	54
PID 1596 wrote to memory of 2060	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	55
PID 1596 wrote to memory of 2060	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	55
PID 1596 wrote to memory of 2060	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	55
PID 1596 wrote to memory of 1708	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	56
PID 1596 wrote to memory of 1708	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	56
PID 1596 wrote to memory of 1708	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	56
PID 1596 wrote to memory of 2420	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	57
PID 1596 wrote to memory of 2420	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	57
PID 1596 wrote to memory of 2420	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	57
PID 1596 wrote to memory of 2220	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	58
PID 1596 wrote to memory of 2220	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	58
PID 1596 wrote to memory of 2220	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	58
PID 1596 wrote to memory of 1496	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	59
PID 1596 wrote to memory of 1496	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	59
PID 1596 wrote to memory of 1496	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	59
PID 1596 wrote to memory of 2296	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	60
PID 1596 wrote to memory of 2296	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	60
PID 1596 wrote to memory of 2296	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	60
PID 1596 wrote to memory of 1120	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	61
PID 1596 wrote to memory of 1120	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	61
PID 1596 wrote to memory of 1120	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	61
PID 1596 wrote to memory of 1420	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	63
PID 1596 wrote to memory of 1420	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	63
PID 1596 wrote to memory of 1420	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	63
PID 1596 wrote to memory of 2292	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	74
PID 1596 wrote to memory of 2292	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	74
PID 1596 wrote to memory of 2292	1596	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe	74
PID 2292 wrote to memory of 2792	2292	cmd.exe	76
PID 2292 wrote to memory of 2792	2292	cmd.exe	76
PID 2292 wrote to memory of 2792	2292	cmd.exe	76
PID 2292 wrote to memory of 1008	2292	cmd.exe	77
PID 2292 wrote to memory of 1008	2292	cmd.exe	77
PID 2292 wrote to memory of 1008	2292	cmd.exe	77
PID 1008 wrote to memory of 1828	1008	System.exe	78
PID 1008 wrote to memory of 1828	1008	System.exe	78
PID 1008 wrote to memory of 1828	1008	System.exe	78
PID 1008 wrote to memory of 2768	1008	System.exe	79
PID 1008 wrote to memory of 2768	1008	System.exe	79
PID 1008 wrote to memory of 2768	1008	System.exe	79
PID 1828 wrote to memory of 2396	1828	WScript.exe	80
PID 1828 wrote to memory of 2396	1828	WScript.exe	80
PID 1828 wrote to memory of 2396	1828	WScript.exe	80
PID 2396 wrote to memory of 1520	2396	System.exe	81
PID 2396 wrote to memory of 1520	2396	System.exe	81
PID 2396 wrote to memory of 1520	2396	System.exe	81
PID 2396 wrote to memory of 1488	2396	System.exe	82
PID 2396 wrote to memory of 1488	2396	System.exe	82
PID 2396 wrote to memory of 1488	2396	System.exe	82
PID 1520 wrote to memory of 2280	1520	WScript.exe	85
PID 1520 wrote to memory of 2280	1520	WScript.exe	85
PID 1520 wrote to memory of 2280	1520	WScript.exe	85
PID 2280 wrote to memory of 1184	2280	System.exe	86

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
"C:\Users\Admin\AppData\Local\Temp\fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Teqwt2Oo5i.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2792
- - C:\Windows\PLA\System\System.exe
    "C:\Windows\PLA\System\System.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1008
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0663982c-a249-4774-97f6-7b9f39b34d33.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1828
    - - C:\Windows\PLA\System\System.exe
        
        C:\Windows\PLA\System\System.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2396
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecb6f14d-2c2a-4769-9e5e-ba6c114748e6.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\PLA\System\System.exe
        
        C:\Windows\PLA\System\System.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce591128-6f1c-426c-9ee9-471940c6b74f.vbs"
        8⤵
        
        PID:1184
        
        C:\Windows\PLA\System\System.exe
        
        C:\Windows\PLA\System\System.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eae5a87a-e237-4082-a9f4-8abd9a75b7e7.vbs"
        10⤵
        
        PID:2548
        
        C:\Windows\PLA\System\System.exe
        
        C:\Windows\PLA\System\System.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92a01590-d412-4bd3-9183-e721e9854c8f.vbs"
        12⤵
        
        PID:1568
        
        C:\Windows\PLA\System\System.exe
        
        C:\Windows\PLA\System\System.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1eef5fdd-9666-4d53-8388-db6523c9ee9d.vbs"
        14⤵
        
        PID:1256
        
        C:\Windows\PLA\System\System.exe
        
        C:\Windows\PLA\System\System.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1971b4ff-daa4-4157-9491-dea89b1434bb.vbs"
        16⤵
        
        PID:1772
        
        C:\Windows\PLA\System\System.exe
        
        C:\Windows\PLA\System\System.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\151dbd77-8741-49c1-98d0-3b8e10e8db29.vbs"
        18⤵
        
        PID:284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07f95b4b-3036-4041-9b8d-534f717e0f2b.vbs"
        18⤵
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35066c36-beff-4e4d-ad3b-946d80c6a80c.vbs"
        16⤵
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5a31950-34d3-4779-a29f-76ca07e1be50.vbs"
        14⤵
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\520f382f-9938-4694-bfb8-593f80d22834.vbs"
        12⤵
        
        PID:3028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\578252b6-9d0f-48a0-8b64-9c6da01952f0.vbs"
        10⤵
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\330dd81b-e435-497e-bbc2-9fdcb630255e.vbs"
        8⤵
        
        PID:2984
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65d7a154-f0a4-4723-9fcd-f57b426a700b.vbs"
        6⤵
        
        PID:1488
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edafbef4-9b73-4e41-8159-7fd86141dc94.vbs"
      4⤵
      PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\System\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PLA\System\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\System\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\security\database\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\security\database\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\security\database\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0663982c-a249-4774-97f6-7b9f39b34d33.vbs

Filesize
708B

MD5
552b03c6cc96984d414e7ea0bad20e49

SHA1
2978dc7c43b7562530d24d435721fe45ad994c37

SHA256
de555663ebf2c783749968c033b17b6f7cda4aff04633094759adaf613f2a5a2

SHA512
030764c8ad7e13ad78c6f19e362f375eaba97868f22119240b107888c46e2afb070ad580ff6e91d5cbfa5cbbc275484d477a7490cf3d593bc0405822f34244a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\151dbd77-8741-49c1-98d0-3b8e10e8db29.vbs

Filesize
708B

MD5
222e03c3e2ba3d20e5666cc64d4af9c7

SHA1
b13eeaaf2b9323ac4ecd3ce4b0e58b732fb516ab

SHA256
0a5448a7d8c5ceddd7c9290e4f224c40073d58765193f8bff634916af2617ccc

SHA512
c7dd99d1948489fb41b86affc409d6c04779a9462092ce73da18a8e4be3c0e931078756a28992cdf561d6bdeb55384195df8ea4656ffda38c32f89ded22ce0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1971b4ff-daa4-4157-9491-dea89b1434bb.vbs

Filesize
708B

MD5
75d15b98d4501d1df1d0b3b98230eaec

SHA1
cc3b9ac70e83f53cf5750ac0d18dc3a15614ce4b

SHA256
b279db24b1f6d16e3643a14f27803ea17798ff07bc91c2149161d2c0bac0f468

SHA512
063489b36a6b571f06c6a3af3c31aab1679782ac9c694f1285a6980f33d1ee9dfec85223a8d1e572d6cec9bb29dabbc70cd7b6389692550ea6e1889016ffad07

Download Submit
C:\Users\Admin\AppData\Local\Temp\1eef5fdd-9666-4d53-8388-db6523c9ee9d.vbs

Filesize
707B

MD5
8d34e92641af0db54d90e00413cb1211

SHA1
d70115739fb1ec0c997fd837246ce2a85751e898

SHA256
2b1fbf7286de92ee14571efad6fab8e0228372f70f1d113624b9335a6c20fa33

SHA512
a8bd4589c554e639403e2436303ace4cd9e90e3ceadb23ebaf1d20789cb49e9430b805ba6089eed449062b218e87a4c6244a295258354296e410c37ee29caaed

Download Submit
C:\Users\Admin\AppData\Local\Temp\92a01590-d412-4bd3-9183-e721e9854c8f.vbs

Filesize
708B

MD5
42733c70c942d39779ddf3ece2962406

SHA1
a4ff975335e3de404fc937706323368e7a035221

SHA256
303286ebce20a4dd61575e4a86c2f368484d20313326007c2c684419dec96540

SHA512
c6786963a8bd492599906f07f819b0ab1bbfce3360c22ab51a21abe62af12581a2348d3809662b14fdbc26cce6d0e73b6e4a9f1bfc94fde5cbb6512fae4ba608

Download Submit
C:\Users\Admin\AppData\Local\Temp\Teqwt2Oo5i.bat

Filesize
197B

MD5
2f007e2bf4c3c4ebababe291e6dd164d

SHA1
01812471adbcd631a074584936c6729ae0ab4763

SHA256
57606e075f45e4f5d00ccd087ee7d21db6d82ba94562c12e6d83950b4a81b120

SHA512
c11bf5008b0a7af65208d09b2e208ead9093063b7980fb9494c452f5c5c0b88927592d3c3f068ae9255d8768149153be6f92838b9597ebd16b940c528eac7819

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce591128-6f1c-426c-9ee9-471940c6b74f.vbs

Filesize
708B

MD5
abe22391a7d17e0a0eb538103294b12a

SHA1
678be9c1f8e7cd150d6b1f8bf0871bd0d9bec996

SHA256
63e9313b02bdca9b27e021b67c83c32fcc23564b7f377b0be279917bec1dfb33

SHA512
b7d0bd02cc10b09151b1ff90298d13640dcc1413ec9bd2da45898bb33e77ca799b966fa2e239e6863a46165bc53ae712e13bd70d392169566af632b617a18ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\eae5a87a-e237-4082-a9f4-8abd9a75b7e7.vbs

Filesize
708B

MD5
fb8cfdecfcfa623c684584a296478b27

SHA1
7e35626229a90970690a011f9708ca3c6cfcca42

SHA256
04b5c902fd9f9491e12ab374d6818e6e11ce3f224f527ca1aa798c600280388e

SHA512
91a8561c864c19c066ed02e9d6c4f45772c31402f5c8cf74a6b8bb321e89c78e4340272419576bf96fadc6f257ae3b92cda331fd9617242ef8dacaa0018a1897

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecb6f14d-2c2a-4769-9e5e-ba6c114748e6.vbs

Filesize
708B

MD5
ad3c600c0585301076c796971b41d7cd

SHA1
c053be14e28fd310df41798bc49ee1ab02cdb051

SHA256
5c77f4916de693e617f4085e5cbeb6a3a5500aae1f84fc57680dc8a3ece9f37b

SHA512
9887432f560db316feaa63d656e2e4af89e7b64ddee5f2a19d72ad71d69a33c225ab66c59813d2d98f0cefd36c200b258af86decbd3864c4f9aa0c7ed7418346

Download Submit
C:\Users\Admin\AppData\Local\Temp\edafbef4-9b73-4e41-8159-7fd86141dc94.vbs

Filesize
484B

MD5
ee5a00a700ec64f2103b30631b3702ca

SHA1
0269803c92dec05e09a8ac4280f06f8e4e6191df

SHA256
e052c2d0b1f4971a6b81a1e31228ff41777e02cd63c470a2427d2e38e7e887db

SHA512
b2721c7057ab1d99e738ae92390b97798c6a163e2701cf954740b12887a1c32c3f1e2f0bec81f3f94c1a8a053836cf7e0d86644bd457acdcde2025fc623e1729

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8CA6.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
17c7704f5b7579ef092b1a7568b87737

SHA1
e49fee45793fe78071f7d175743eb56e52e9df4a

SHA256
723af385f972325fa078d400daf213a4567ee3ceeb869443ad69d90991e0733c

SHA512
8aa34c12a4ae1ad99ed78202ea489b7c8ce4820b2121b6217a4a6351d348b6107347a8129d10da17eb04dca2f510d9bd1c778e616fa6f070209f21498c14597b

Download Submit
C:\Users\Public\Favorites\RCX63DA.tmp

Filesize
4.9MB

MD5
092ac959610c8318e390a1e73a9f4d03

SHA1
e0d6390aae852e5ad57bce8166479a456d4c345c

SHA256
c358896045f9244ea83508403ebac867dc783c4eb8ae742189a1bb06de8ec6ef

SHA512
8d624e7c815fed731cf8ac111163fa1e6b96c74953111f34eb2159c4ef0452dd3603757ce4e527076ae4dc7fb7f781469bfa5417ee079f75f5ffa960f83056ac

Download Submit
C:\Windows\security\database\smss.exe

Filesize
4.9MB

MD5
ebc81db3d71154bc617356d897e0d450

SHA1
d8a2a478437abd6f69685903700b1e9e5a30c6ce

SHA256
fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25

SHA512
33dd0b853085ff2256384c34b44652b9815a34920eea200a3859ac7f626e9795036bdcac6b2de8cf4c03d433431ea5121676f84312a7a90f34fdeb6a8c54ea72

Download Submit
memory/1008-154-0x00000000008D0000-0x0000000000DC4000-memory.dmp

Filesize
5.0MB

Download
memory/1596-11-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/1596-9-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download
memory/1596-15-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/1596-0-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/1596-92-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/1596-1-0x0000000000320000-0x0000000000814000-memory.dmp

Filesize
5.0MB

Download
memory/1596-12-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Filesize
56KB

Download
memory/1596-2-0x000000001B210000-0x000000001B33E000-memory.dmp

Filesize
1.2MB

Download
memory/1596-13-0x0000000002500000-0x000000000250E000-memory.dmp

Filesize
56KB

Download
memory/1596-14-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/1596-10-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/1596-16-0x0000000002530000-0x000000000253C000-memory.dmp

Filesize
48KB

Download
memory/1596-8-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/1596-3-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/1596-7-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/1596-6-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/1596-5-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/1596-4-0x0000000000AB0000-0x0000000000ACC000-memory.dmp

Filesize
112KB

Download
memory/2396-168-0x0000000001310000-0x0000000001804000-memory.dmp

Filesize
5.0MB

Download
memory/2916-95-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2916-93-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download