dcrat | 03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Size

1.5MB
MD5

809d07e665342266dbea6c6017c021f8
SHA1

4e51b1936b39b1df13792cb2ee0a3e2cf2c098b1
SHA256

03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26
SHA512

69908b7064f6a482820eff4e3f83c15f6e6b30dea7d155bb007aa58fecaac1902475c392627c675ea1bcd8cf0158bdcd0d23c735d1ba7f8b85823125823b5dec
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\vga\\winlogon.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\vga\\winlogon.exe\", \"C:\\Windows\\System32\\scesrv\\smss.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\vga\\winlogon.exe\", \"C:\\Windows\\System32\\scesrv\\smss.exe\", \"C:\\PerfLogs\\Admin\\sppsvc.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\vga\\winlogon.exe\", \"C:\\Windows\\System32\\scesrv\\smss.exe\", \"C:\\PerfLogs\\Admin\\sppsvc.exe\", \"C:\\Windows\\System32\\lcphrase\\lsm.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\vga\\winlogon.exe\", \"C:\\Windows\\System32\\scesrv\\smss.exe\", \"C:\\PerfLogs\\Admin\\sppsvc.exe\", \"C:\\Windows\\System32\\lcphrase\\lsm.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\audiodg.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2880	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2812	powershell.exe
2788	powershell.exe
2332	powershell.exe
2784	powershell.exe
1924	powershell.exe
1320	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Executes dropped EXE 11 IoCs

pid	Process
2156	lsm.exe
2320	lsm.exe
2820	lsm.exe
2944	lsm.exe
2260	lsm.exe
1372	lsm.exe
2160	lsm.exe
2864	lsm.exe
2944	lsm.exe
1048	lsm.exe
2288	lsm.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\vga\\winlogon.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\scesrv\\smss.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\lcphrase\\lsm.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\lcphrase\\lsm.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\vga\\winlogon.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\scesrv\\smss.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\PerfLogs\\Admin\\sppsvc.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\PerfLogs\\Admin\\sppsvc.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\audiodg.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\audiodg.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vga\winlogon.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\scesrv\smss.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\lcphrase\101b941d020240	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\scesrv\RCXBC30.tmp	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\lcphrase\RCXC0A5.tmp	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\vga\winlogon.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\vga\cc11b995f2a76d	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\scesrv\69ddcba757bf72	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\lcphrase\lsm.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\vga\RCXB9BF.tmp	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\scesrv\smss.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\lcphrase\lsm.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	schtasks.exe
2820	schtasks.exe
2624	schtasks.exe
2732	schtasks.exe
2408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2812	powershell.exe
1924	powershell.exe
1320	powershell.exe
2784	powershell.exe
2332	powershell.exe
2788	powershell.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe
2156	lsm.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2156	lsm.exe
Token: SeDebugPrivilege	2320	lsm.exe
Token: SeDebugPrivilege	2820	lsm.exe
Token: SeDebugPrivilege	2944	lsm.exe
Token: SeDebugPrivilege	2260	lsm.exe
Token: SeDebugPrivilege	1372	lsm.exe
Token: SeDebugPrivilege	2160	lsm.exe
Token: SeDebugPrivilege	2864	lsm.exe
Token: SeDebugPrivilege	2944	lsm.exe
Token: SeDebugPrivilege	1048	lsm.exe
Token: SeDebugPrivilege	2288	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1924	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	36
PID 2084 wrote to memory of 1924	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	36
PID 2084 wrote to memory of 1924	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	36
PID 2084 wrote to memory of 1320	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	37
PID 2084 wrote to memory of 1320	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	37
PID 2084 wrote to memory of 1320	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	37
PID 2084 wrote to memory of 2812	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	38
PID 2084 wrote to memory of 2812	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	38
PID 2084 wrote to memory of 2812	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	38
PID 2084 wrote to memory of 2788	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	39
PID 2084 wrote to memory of 2788	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	39
PID 2084 wrote to memory of 2788	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	39
PID 2084 wrote to memory of 2332	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	40
PID 2084 wrote to memory of 2332	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	40
PID 2084 wrote to memory of 2332	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	40
PID 2084 wrote to memory of 2784	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	41
PID 2084 wrote to memory of 2784	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	41
PID 2084 wrote to memory of 2784	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	41
PID 2084 wrote to memory of 1196	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	44
PID 2084 wrote to memory of 1196	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	44
PID 2084 wrote to memory of 1196	2084	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	44
PID 1196 wrote to memory of 2444	1196	cmd.exe	50
PID 1196 wrote to memory of 2444	1196	cmd.exe	50
PID 1196 wrote to memory of 2444	1196	cmd.exe	50
PID 1196 wrote to memory of 2156	1196	cmd.exe	52
PID 1196 wrote to memory of 2156	1196	cmd.exe	52
PID 1196 wrote to memory of 2156	1196	cmd.exe	52
PID 2156 wrote to memory of 2816	2156	lsm.exe	53
PID 2156 wrote to memory of 2816	2156	lsm.exe	53
PID 2156 wrote to memory of 2816	2156	lsm.exe	53
PID 2156 wrote to memory of 852	2156	lsm.exe	54
PID 2156 wrote to memory of 852	2156	lsm.exe	54
PID 2156 wrote to memory of 852	2156	lsm.exe	54
PID 2816 wrote to memory of 2320	2816	WScript.exe	55
PID 2816 wrote to memory of 2320	2816	WScript.exe	55
PID 2816 wrote to memory of 2320	2816	WScript.exe	55
PID 2320 wrote to memory of 2304	2320	lsm.exe	56
PID 2320 wrote to memory of 2304	2320	lsm.exe	56
PID 2320 wrote to memory of 2304	2320	lsm.exe	56
PID 2320 wrote to memory of 1796	2320	lsm.exe	57
PID 2320 wrote to memory of 1796	2320	lsm.exe	57
PID 2320 wrote to memory of 1796	2320	lsm.exe	57
PID 2304 wrote to memory of 2820	2304	WScript.exe	58
PID 2304 wrote to memory of 2820	2304	WScript.exe	58
PID 2304 wrote to memory of 2820	2304	WScript.exe	58
PID 2820 wrote to memory of 2060	2820	lsm.exe	59
PID 2820 wrote to memory of 2060	2820	lsm.exe	59
PID 2820 wrote to memory of 2060	2820	lsm.exe	59
PID 2820 wrote to memory of 1236	2820	lsm.exe	60
PID 2820 wrote to memory of 1236	2820	lsm.exe	60
PID 2820 wrote to memory of 1236	2820	lsm.exe	60
PID 2060 wrote to memory of 2944	2060	WScript.exe	61
PID 2060 wrote to memory of 2944	2060	WScript.exe	61
PID 2060 wrote to memory of 2944	2060	WScript.exe	61
PID 2944 wrote to memory of 1104	2944	lsm.exe	62
PID 2944 wrote to memory of 1104	2944	lsm.exe	62
PID 2944 wrote to memory of 1104	2944	lsm.exe	62
PID 2944 wrote to memory of 1472	2944	lsm.exe	63
PID 2944 wrote to memory of 1472	2944	lsm.exe	63
PID 2944 wrote to memory of 1472	2944	lsm.exe	63
PID 1104 wrote to memory of 2260	1104	WScript.exe	64
PID 1104 wrote to memory of 2260	1104	WScript.exe	64
PID 1104 wrote to memory of 2260	1104	WScript.exe	64
PID 2260 wrote to memory of 1960	2260	lsm.exe	65

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
"C:\Users\Admin\AppData\Local\Temp\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\vga\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\scesrv\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\lcphrase\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RI9VjIQYne.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2444
- - C:\Windows\System32\lcphrase\lsm.exe
    "C:\Windows\System32\lcphrase\lsm.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2156
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\559644e0-f221-4d79-b08d-9f1f9b256d58.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\System32\lcphrase\lsm.exe
        
        C:\Windows\System32\lcphrase\lsm.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2320
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1826f30-e898-4afe-b693-26c8da672207.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\System32\lcphrase\lsm.exe
        
        C:\Windows\System32\lcphrase\lsm.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d19000d-ad45-4216-8970-ffe51d9a502b.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\System32\lcphrase\lsm.exe
        
        C:\Windows\System32\lcphrase\lsm.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1be9ec4c-f725-439e-b835-e4ac1f6057a5.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\System32\lcphrase\lsm.exe
        
        C:\Windows\System32\lcphrase\lsm.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1fdc53f-af61-4a34-9b7c-8cfcd64d9503.vbs"
        12⤵
        
        PID:1960
        
        C:\Windows\System32\lcphrase\lsm.exe
        
        C:\Windows\System32\lcphrase\lsm.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb8eccea-7163-4a05-b029-cecd96b32fef.vbs"
        14⤵
        
        PID:2520
        
        C:\Windows\System32\lcphrase\lsm.exe
        
        C:\Windows\System32\lcphrase\lsm.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e304c67-89b5-4c7d-9180-aa0eab0ccd5b.vbs"
        16⤵
        
        PID:2576
        
        C:\Windows\System32\lcphrase\lsm.exe
        
        C:\Windows\System32\lcphrase\lsm.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4776da65-685a-4d58-bd26-aaf92a4d0373.vbs"
        18⤵
        
        PID:1144
        
        C:\Windows\System32\lcphrase\lsm.exe
        
        C:\Windows\System32\lcphrase\lsm.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21dc01fe-14f0-4eb3-bbc1-940dedcbcbf8.vbs"
        20⤵
        
        PID:1300
        
        C:\Windows\System32\lcphrase\lsm.exe
        
        C:\Windows\System32\lcphrase\lsm.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26675c32-e046-4b6b-aa2f-c487fb2ce684.vbs"
        22⤵
        
        PID:988
        
        C:\Windows\System32\lcphrase\lsm.exe
        
        C:\Windows\System32\lcphrase\lsm.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\977ae7dd-9169-4eb8-9bfa-9b946bdba6b4.vbs"
        24⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9694b503-a3b7-41a3-9443-ea1e36f2ea34.vbs"
        24⤵
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d89b5df5-6d60-4177-ab9e-9c8368360f1f.vbs"
        22⤵
        
        PID:1084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a63449c2-e963-465b-bc87-4dbfb02d3c66.vbs"
        20⤵
        
        PID:992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0490cf5-2b6d-489f-b8bd-cd97ed7e7892.vbs"
        18⤵
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b52d86e-66aa-43ab-aed3-97ea91c8dd13.vbs"
        16⤵
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\735d8629-8513-4f6d-be0b-551b88abc886.vbs"
        14⤵
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08480b85-ef80-4184-9727-112c065dc075.vbs"
        12⤵
        
        PID:736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac17cbe5-d2d4-4d40-9517-c95cec24f78d.vbs"
        10⤵
        
        PID:1472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f7ca71f-1d3c-4f1d-b8df-4ce974e33685.vbs"
        8⤵
        
        PID:1236
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52c46e9f-ee02-4d3e-b864-125f44b3b21d.vbs"
        6⤵
        
        PID:1796
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4742ede-e294-47af-a3c5-cb62e4965a8c.vbs"
      4⤵
      PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\vga\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\scesrv\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\PerfLogs\Admin\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\lcphrase\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe

Filesize
1.5MB

MD5
809d07e665342266dbea6c6017c021f8

SHA1
4e51b1936b39b1df13792cb2ee0a3e2cf2c098b1

SHA256
03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26

SHA512
69908b7064f6a482820eff4e3f83c15f6e6b30dea7d155bb007aa58fecaac1902475c392627c675ea1bcd8cf0158bdcd0d23c735d1ba7f8b85823125823b5dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\1be9ec4c-f725-439e-b835-e4ac1f6057a5.vbs

Filesize
712B

MD5
f9b4f70b5958d17d2fa09d2111aa4cee

SHA1
1eaf18bd0b2f1a75680c856a1551fcb4ebcd265d

SHA256
dbe93e797949f7f0392f90056c3cbdb7506de2047f9bcc86659ea33204b20dc8

SHA512
37e6c31d1da96e3684ddf0edcd7690f4e884f7a2a9ffc7552fc06bd4228cc04a3fc144e029612bf073f30524f6efdd93c2e1f7387d4b1a2824bc6e22878d20ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\26675c32-e046-4b6b-aa2f-c487fb2ce684.vbs

Filesize
712B

MD5
9cad3518707995f5a86956d596b4043b

SHA1
1707f722af5da548e75fa6844a7f0e873d33292c

SHA256
70cec2788f16fad0bd5acfd66223212bad8e915074cffd2670e587bfaa28adda

SHA512
8bb0a728e3cf98842f5f33a93907868aee42d0499813e5fc9a1febe6c709eca87e7cc2afe7655aad94de8fb4fc145297f63adf459bf106118b25044be4f56a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\4776da65-685a-4d58-bd26-aaf92a4d0373.vbs

Filesize
712B

MD5
844cb8674b68093b9a7588d9f04833f0

SHA1
17fd34348d3fa7eb74cfc4696bd1ca14101b7f7d

SHA256
1b0302e3e17b2b5fd3c1772ceaa0750468efb8e5762f59963f273da9f3084b41

SHA512
12e8f8f59433f38210111b6d6c41af044791d9b1248ca8ea733c84e776bd897c6b0040271e7c42fc899cddb221c32634a5182b2d0c849b2a1bda592eab63ee2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\559644e0-f221-4d79-b08d-9f1f9b256d58.vbs

Filesize
712B

MD5
1c23e3b10d846eac5bc279e02c3dc429

SHA1
dd8213d327c413d8d3739bbdf7adc9fa3b3cff0b

SHA256
bf5d8f6db60b85821fafa7ec53cee182f49b6b661fa08f578e68c9f353e735d7

SHA512
12a86b18cffda0b605bea2dde1ec3215dce15de78184c18d9518e03390ec1a70d1088f8386b5800ebae2f4511d89f5c7da3386a4079fa2135d46212f56c29b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d19000d-ad45-4216-8970-ffe51d9a502b.vbs

Filesize
712B

MD5
93b98c9483c1bb992987e37dcb6137bc

SHA1
52ded1980ac8e826e94014904a8048bb26193f78

SHA256
5aea9918488d940a5ef845d56783900d0182bca5cb94561d1b0148b7e69ba4d3

SHA512
ad1e16e3b59fae9ab08037d806601d098fa8d5d01a4b039de17b555209dbf712c5a25705210403d94318589d5580d2cfdbaf209119d6d9b4bde1a3d72691e4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\977ae7dd-9169-4eb8-9bfa-9b946bdba6b4.vbs

Filesize
712B

MD5
14f8f8b61ac8a132a535d601dd5ec677

SHA1
4dc4967c4393a2cf92e5c0a957b0326664fa88cf

SHA256
fcbafb2b8ea74390ead40c54ceae14e6aa8b7c501e24c6cfba512f1ee97ae7f2

SHA512
141fd131052b36c707a088f7aaf728894b1fd60663c7e215e4dd629213730fba20cdc733aa5b3fe38e1869fa06f3101a6784689bb8f7f8771e3d4fbbd709b957

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e304c67-89b5-4c7d-9180-aa0eab0ccd5b.vbs

Filesize
712B

MD5
dc45ac979936d7dde787720fd5dd1d15

SHA1
33260034b9d72ee3874a2f2808d118afa4c8d8d5

SHA256
769302053398b11bd408c6f3cad6360f4d003f11ca6541a332bb3ba334f0d55d

SHA512
aa4788608908f5264e190bbd8243dff8cb377e5b6261bc21839970fc5f22c411ce23d1ea8a4619505f2a5915d85a01dd6431a5b325f39ab841213a8be959d866

Download Submit
C:\Users\Admin\AppData\Local\Temp\RI9VjIQYne.bat

Filesize
200B

MD5
d968f00c3c3b6f0370d7caec96c53774

SHA1
62c71a7b3f8a0a6fff2daa1ff2e9be903a02d2c2

SHA256
040c1fb62a26ec21629cb5dfbacc49f375df087c5a72acd6e685cca3565bb5e0

SHA512
5524af0b8e1fe83d4f1553efd174588a505dbe31b46c2f99f0ffd0cefdd3203f58a3122bc2e80b1b3cb33769ca13b63be166b0495a2b66434685b95190107de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1826f30-e898-4afe-b693-26c8da672207.vbs

Filesize
712B

MD5
010ad19c59e24de109714dcab629eee5

SHA1
9e13bda2e35d9c253bda332a9a3b6b3fd84ec0a7

SHA256
042a9fd3553c2641dfea8fa848e9b6e8e84d4d184e35d94e1f47b961b2b1885a

SHA512
a8366395a70d1b046181f689af642ec5f40a53e40a8731784469996b054d4d5f459779067d6af598215ad4caba17f0ad25454bfd1a6b10572cb4bf375cad12e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1fdc53f-af61-4a34-9b7c-8cfcd64d9503.vbs

Filesize
712B

MD5
ec8f4c072694682721bd1ed96830f4fd

SHA1
67c4dfa1653d42ab7f51aacdbd7dea1626775a11

SHA256
d8f2bc6dcb5c3ff18c196524aa9203e7d3b54c734327ade4e62c09cbf2cbc0e8

SHA512
dfb24f6f6cf1a0976f88f6f7566fd3e56451d616d1d814faeb496d27a09096019eb1eded42cffa5d2133cb9cfe76070143dd3b54d507d2f2761fb53d35704e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4742ede-e294-47af-a3c5-cb62e4965a8c.vbs

Filesize
488B

MD5
bc0d7892fcbebca8a799ea6dc2130032

SHA1
f64e3d391d0a67d65e507ea8c7c4c24c9f870b3f

SHA256
a5a3a8dc4ba9bbec647d2a4e9f030fd4ce31bc93651f1959197bb94fb434a209

SHA512
0b517b042e7c11aaf2efc893ec2a145808ad3cb6701b621140d7e7907b6cfe34a9a586587d9447e2af12dd02307d65412bffdaf9d049a21c3e48ddc699a762c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb8eccea-7163-4a05-b029-cecd96b32fef.vbs

Filesize
712B

MD5
58ef0f3d38e68859142fd5dfc3713662

SHA1
9bc19ad925d96fe0c4ae2b37b0c716006f78f8b5

SHA256
367cfe3f1cc57aa166ffd2e96396f17455d245a885e189baca5e99bed7c1de33

SHA512
0c29159470834bffd90aa112dbf50c1b0484faa4dd872df795784320b518c8f37a5240fbaa28e3f527bbc472e4175bb62d8cc359ea3c33fe06bd21e5eec7cb9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4dbcc8738d64f0a49bdccd28994f6ece

SHA1
807d6f28ba08f8a3ad0062e2b57824adcfed832a

SHA256
8415e1b4caf195580617fa96257e2154f67e164127d1b6259e38e4320168267e

SHA512
0ff9b5f7fb41fc4d0f28e7aedf52f9eacd9f47d9e89ade919cb9671f4c6b6f0b3df4603615f095ac1f1390ceba6145c49876a36d3ea1d1d2a2b307b5aa9d96a7

Download Submit
memory/1048-217-0x00000000012C0000-0x000000000143E000-memory.dmp

Filesize
1.5MB

Download
memory/1372-168-0x0000000000D20000-0x0000000000E9E000-memory.dmp

Filesize
1.5MB

Download
memory/1372-169-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2084-13-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/2084-6-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/2084-20-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2084-21-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2084-24-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-17-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/2084-42-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-16-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/2084-15-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/2084-90-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-1-0x0000000000E90000-0x000000000100E000-memory.dmp

Filesize
1.5MB

Download
memory/2084-2-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-3-0x0000000000140000-0x0000000000148000-memory.dmp

Filesize
32KB

Download
memory/2084-14-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2084-0-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

Filesize
4KB

Download
memory/2084-4-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2084-12-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/2084-5-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2084-11-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2084-18-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/2084-10-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/2084-7-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/2084-8-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/2084-9-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2156-109-0x0000000000E00000-0x0000000000F7E000-memory.dmp

Filesize
1.5MB

Download
memory/2160-181-0x0000000000F30000-0x00000000010AE000-memory.dmp

Filesize
1.5MB

Download
memory/2260-156-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2288-229-0x0000000000380000-0x00000000004FE000-memory.dmp

Filesize
1.5MB

Download
memory/2320-120-0x0000000000E50000-0x0000000000FCE000-memory.dmp

Filesize
1.5MB

Download
memory/2812-79-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2812-89-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download
memory/2820-132-0x0000000000360000-0x00000000004DE000-memory.dmp

Filesize
1.5MB

Download
memory/2864-193-0x00000000001A0000-0x000000000031E000-memory.dmp

Filesize
1.5MB

Download
memory/2944-144-0x0000000000D00000-0x0000000000E7E000-memory.dmp

Filesize
1.5MB

Download
memory/2944-205-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download