dcrat | 50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/12/2024, 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Size

1.5MB
MD5

7b051970be6c2699829c126a8a6e63e0
SHA1

95dc9fe1223e49f02932104f79b91f38040f242a
SHA256

50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65
SHA512

f71d210e34c6cfa62de1dfe0a74ae33e91f41f4eb8b95bc169edd3b2e7f51e897dcafdcfcd5e138f337b46aefbe7ab06c29c65234a39cd2039c2cc108231f2c0
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
		2860	schtasks.exe
		2768	schtasks.exe
		1740	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Templates\\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Templates\\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe\", \"C:\\Users\\Default User\\explorer.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Templates\\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\PerfLogs\\Admin\\lsass.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2972	schtasks.exe	29

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
940	powershell.exe
2012	powershell.exe
2724	powershell.exe
1976	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe

Executes dropped EXE 8 IoCs

pid	Process
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2152	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2128	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2816	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
956	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2508	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2500	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2600	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N = "\"C:\\ProgramData\\Templates\\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\PerfLogs\\Admin\\lsass.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\PerfLogs\\Admin\\lsass.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N = "\"C:\\ProgramData\\Templates\\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2860	schtasks.exe
2768	schtasks.exe
1740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2724	powershell.exe
2012	powershell.exe
940	powershell.exe
1976	powershell.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2152	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2152	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2152	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2152	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2152	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2152	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
2152	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Token: SeDebugPrivilege	2152	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Token: SeDebugPrivilege	2128	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Token: SeDebugPrivilege	2816	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Token: SeDebugPrivilege	956	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Token: SeDebugPrivilege	2508	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Token: SeDebugPrivilege	2500	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Token: SeDebugPrivilege	2600	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 2724	1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	33
PID 1492 wrote to memory of 2724	1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	33
PID 1492 wrote to memory of 2724	1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	33
PID 1492 wrote to memory of 2012	1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	34
PID 1492 wrote to memory of 2012	1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	34
PID 1492 wrote to memory of 2012	1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	34
PID 1492 wrote to memory of 1976	1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	35
PID 1492 wrote to memory of 1976	1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	35
PID 1492 wrote to memory of 1976	1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	35
PID 1492 wrote to memory of 940	1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	37
PID 1492 wrote to memory of 940	1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	37
PID 1492 wrote to memory of 940	1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	37
PID 1492 wrote to memory of 580	1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	41
PID 1492 wrote to memory of 580	1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	41
PID 1492 wrote to memory of 580	1492	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	41
PID 580 wrote to memory of 2640	580	cmd.exe	43
PID 580 wrote to memory of 2640	580	cmd.exe	43
PID 580 wrote to memory of 2640	580	cmd.exe	43
PID 580 wrote to memory of 2344	580	cmd.exe	44
PID 580 wrote to memory of 2344	580	cmd.exe	44
PID 580 wrote to memory of 2344	580	cmd.exe	44
PID 2344 wrote to memory of 1968	2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	45
PID 2344 wrote to memory of 1968	2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	45
PID 2344 wrote to memory of 1968	2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	45
PID 2344 wrote to memory of 1544	2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	46
PID 2344 wrote to memory of 1544	2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	46
PID 2344 wrote to memory of 1544	2344	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	46
PID 1968 wrote to memory of 2152	1968	WScript.exe	47
PID 1968 wrote to memory of 2152	1968	WScript.exe	47
PID 1968 wrote to memory of 2152	1968	WScript.exe	47
PID 2152 wrote to memory of 2432	2152	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	48
PID 2152 wrote to memory of 2432	2152	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	48
PID 2152 wrote to memory of 2432	2152	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	48
PID 2152 wrote to memory of 2488	2152	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	49
PID 2152 wrote to memory of 2488	2152	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	49
PID 2152 wrote to memory of 2488	2152	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	49
PID 2432 wrote to memory of 2128	2432	WScript.exe	50
PID 2432 wrote to memory of 2128	2432	WScript.exe	50
PID 2432 wrote to memory of 2128	2432	WScript.exe	50
PID 2128 wrote to memory of 704	2128	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	51
PID 2128 wrote to memory of 704	2128	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	51
PID 2128 wrote to memory of 704	2128	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	51
PID 2128 wrote to memory of 2776	2128	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	52
PID 2128 wrote to memory of 2776	2128	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	52
PID 2128 wrote to memory of 2776	2128	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	52
PID 704 wrote to memory of 2816	704	WScript.exe	53
PID 704 wrote to memory of 2816	704	WScript.exe	53
PID 704 wrote to memory of 2816	704	WScript.exe	53
PID 2816 wrote to memory of 2572	2816	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	54
PID 2816 wrote to memory of 2572	2816	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	54
PID 2816 wrote to memory of 2572	2816	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	54
PID 2816 wrote to memory of 1020	2816	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	55
PID 2816 wrote to memory of 1020	2816	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	55
PID 2816 wrote to memory of 1020	2816	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	55
PID 2572 wrote to memory of 956	2572	WScript.exe	56
PID 2572 wrote to memory of 956	2572	WScript.exe	56
PID 2572 wrote to memory of 956	2572	WScript.exe	56
PID 956 wrote to memory of 2556	956	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	57
PID 956 wrote to memory of 2556	956	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	57
PID 956 wrote to memory of 2556	956	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	57
PID 956 wrote to memory of 2212	956	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	58
PID 956 wrote to memory of 2212	956	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	58
PID 956 wrote to memory of 2212	956	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	58
PID 2556 wrote to memory of 2508	2556	WScript.exe	59

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
"C:\Users\Admin\AppData\Local\Temp\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4SA8IZqM3.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2640
- - C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
    "C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2344
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28b964e4-d724-4910-917f-21e6a88bda2c.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
        
        C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2152
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f24c85a-6347-435b-9c1c-f0a61294d93b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
        
        C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a9aab01-f1cf-4eb9-9538-4dec94a56831.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
        
        C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f1e2f11-b2a0-421a-8239-6512b102a72c.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
        
        C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c91543fd-ca4f-475e-8264-2e441ee50728.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
        
        C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50410447-9644-4657-ba6b-151324e5ca93.vbs"
        14⤵
        
        PID:2248
        
        C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
        
        C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\808da0e0-a963-488a-aa22-bbf3b1ff0b70.vbs"
        16⤵
        
        PID:1752
        
        C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
        
        C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef1b0e1d-6241-4b4f-b8d7-d769d62691c3.vbs"
        18⤵
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e78d809c-aa67-41fe-91b6-f2efb4bb8204.vbs"
        18⤵
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64ad6655-aac7-4a8d-b06d-7773de5ac6f0.vbs"
        16⤵
        
        PID:1156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33e7a0c6-42f4-478a-83cb-5e6211c44aa9.vbs"
        14⤵
        
        PID:700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4a37a3f-2d5c-4edc-8fae-f327c5a3b1a5.vbs"
        12⤵
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0e5e1f4-3153-4c6a-aac6-d313b346c5f8.vbs"
        10⤵
        
        PID:1020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\191f6331-0c6d-4c28-a929-4808d456b261.vbs"
        8⤵
        
        PID:2776
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69824cd4-926c-47ec-a780-d0f28a3c0175.vbs"
        6⤵
        
        PID:2488
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6acab2ee-dc9a-4bcb-8fc3-cff4ad8f4afb.vbs"
      4⤵
      PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N" /sc ONLOGON /tr "'C:\ProgramData\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\PerfLogs\Admin\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Templates\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe

Filesize
1.5MB

MD5
7b051970be6c2699829c126a8a6e63e0

SHA1
95dc9fe1223e49f02932104f79b91f38040f242a

SHA256
50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65

SHA512
f71d210e34c6cfa62de1dfe0a74ae33e91f41f4eb8b95bc169edd3b2e7f51e897dcafdcfcd5e138f337b46aefbe7ab06c29c65234a39cd2039c2cc108231f2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\28b964e4-d724-4910-917f-21e6a88bda2c.vbs

Filesize
770B

MD5
63a70736a3edc5e149e004464b277c60

SHA1
1929fd3d4a1b9b4a1c7c8080f74eaf04c3f9c9e4

SHA256
80130ef30e1e09008845126e2e169ebe66a5c47297ac8a98d9ff3c317c09f656

SHA512
6e63ffa8153c86569d71c6ec5f37f4f3be94b983e014d39c28dda529d1f8d7f900cdbeef884b06f272ac7456816a4b8e794c3fef0f28ab0fbd671029760bc03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\50410447-9644-4657-ba6b-151324e5ca93.vbs

Filesize
770B

MD5
f1d8af3cd25c35029aa95f8bb0fcd193

SHA1
39ef71e98eec208b619898ab576f4218ccf895f9

SHA256
76f218e129205119e461ff8c39bccf349fb9c0a28d7f74a4393c6638c12ea8cd

SHA512
f23dac41d959612e6bd95e5b4086a3d7c51f8bad27eb9f9dd12934e1acca5123bcdff659bf4ba7161b44620c16a7796c0f80b2d4da50063f3757940d63b40987

Download Submit
C:\Users\Admin\AppData\Local\Temp\6acab2ee-dc9a-4bcb-8fc3-cff4ad8f4afb.vbs

Filesize
546B

MD5
f495a0d0736ef39d5edddbbcd28e3d05

SHA1
9ea1819265f98f8a59399a47061056ad6f3d568e

SHA256
a92e09c92a7eabea3369d66b40d7470f4934cd518ff8c118f526689b4a32ab0e

SHA512
f2667e6ba69001fa147540de8bf86a370f4c435bed430e19d55edf69bd65879887221d512db8f20b49c0c847aa397dea950716b4be6130df25686ab6ea716cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f1e2f11-b2a0-421a-8239-6512b102a72c.vbs

Filesize
770B

MD5
81d4f433db00972e657b84ad5707a3ee

SHA1
ca7ababf4fe5058144b0a198ced44eabcb38359f

SHA256
d50bcd5bb20fa7dd70b8f86f9f0cdb98943baa5b2ecfdb45bb5955c037a24e10

SHA512
aa3f02d12826b694452b3ae1d45359667f3ae5f51404b0339d355f9ec79d77656a96e95c81d08e860904a1d9e9a21d6cd961e0bcd2a94b6f49a016b8935a190f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f24c85a-6347-435b-9c1c-f0a61294d93b.vbs

Filesize
770B

MD5
5e22676f02e15c1e33c0fab10faf80d9

SHA1
7c000204024ba587d7a4b9c89cda35dada5edbb0

SHA256
55d2fe78dc2bff00dd43d40435354784dbe88336d41f540ce1c4dddc76c32ce5

SHA512
bab7079806ec47b2b4ebe53b3ce4eeea24e4f4bde2cd7073bea0ad0764651416da73e50b6e105a7ae8a7201d4cca71adfb6d5028eb7b992601dc8296525b5208

Download Submit
C:\Users\Admin\AppData\Local\Temp\808da0e0-a963-488a-aa22-bbf3b1ff0b70.vbs

Filesize
770B

MD5
abd5fa99a58b8885851a6071559ce82c

SHA1
7fc343891e747f5761e52ae302f02a7403e58004

SHA256
cf5b42df23229823f3fc6d511a02731ba0c588dd8cd9142f8e1886ebf4cec63d

SHA512
66e66818bb71a009d5b5815526bd72b6217dbc1a3a4056b5af5deee0d4327844c77ab8b16baac437c8e94881eb4a4247b93f72b5e3a6dde2678155b303d12538

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a9aab01-f1cf-4eb9-9538-4dec94a56831.vbs

Filesize
770B

MD5
de3507c5d580bed2ebbad8ec3cba105c

SHA1
3c73ca0b2ea9bcd94c6cfbcc620c3a9cfbbdb5b9

SHA256
dbea3cb2eb561d49b17c1dfed5c2481e5805e518b37e23f1d24588e211282470

SHA512
b50a9902a1083d9ac041b7c80bfcae5b0c2af9c964eaf1a28159687cee9506fb22381846ede4162f1f3a06f70df8e941937acc4a21606c9b7c6ad23c368a497d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c91543fd-ca4f-475e-8264-2e441ee50728.vbs

Filesize
769B

MD5
2065a06f4f3b436a1d0062bd56da658c

SHA1
51114cd57cef89080cd425eba2fec4bd95daafe9

SHA256
84d63d70f4d9cd9254907b43fc4dda4b983e6fb7d81a17e8b7aacd0f4f726ae1

SHA512
e2b4f64fd550b5a19e86fea0539e902e808484f01550ae3a5d469b6e8a6e9bc33ad69719f408ff3b360cf7e38aa5d5f4fe3c8ffc11a45d05c5fe5aec7078718a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef1b0e1d-6241-4b4f-b8d7-d769d62691c3.vbs

Filesize
770B

MD5
bdc7471dc9824d4bbb618cba3d7510f0

SHA1
113e85b2bbf9af7cba593131efbac8490d942c93

SHA256
c00fa5dcc804fa70add7ab71abdcbab77a298490c9d7c475b763354ac707b935

SHA512
e6bc74907bd486af91cc589552a3eb9d4e7fc7e35b0c4b98de2dab4928673df607f77f8eb94c57459c3d7d906e8382cbea79193f42617c4fbd0b437163c60997

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4SA8IZqM3.bat

Filesize
258B

MD5
9853cc40e881d74513b6933c00a495b3

SHA1
b8d09a7580aa46bc1a2c3f2cfdbb61ea7cb7a4f3

SHA256
ec7d8b59beb22527df8b4835fa96c43c5b018ce3aeaddd0fc58efdc8a4c35faa

SHA512
60e5ef13cd426f0505ef99b5ea37dca20b94807a5bd8526e4007c9aaedda0a4e4b1df8c5cab62761ed4ba209f9a855a4bb90ca9505331d8eebb778bef2f4b6eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UQQDABY65GZW2Q06GJWD.temp

Filesize
7KB

MD5
dc71b07fdfa41aa20c38654ee9ea8d84

SHA1
c6ddbbe897091d9d22f457a2661ea1e37f1b873a

SHA256
0fee786d5fa828e340047843f22a2bc1b2ccb642ae26f05d39cc228e65d4469a

SHA512
8b958882e83300b13148a0332013b28005071aefc6646426be58a3d53958377c69ba2279ef5cdbd10792cac2973be6838a521ba1cd0792c4b3f94f62e31e9f15

Download Submit
memory/940-77-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/1492-12-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/1492-6-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/1492-15-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download
memory/1492-16-0x000000001A6D0000-0x000000001A6D8000-memory.dmp

Filesize
32KB

Download
memory/1492-17-0x000000001A6E0000-0x000000001A6EC000-memory.dmp

Filesize
48KB

Download
memory/1492-18-0x000000001A6F0000-0x000000001A6F8000-memory.dmp

Filesize
32KB

Download
memory/1492-20-0x000000001A700000-0x000000001A70C000-memory.dmp

Filesize
48KB

Download
memory/1492-21-0x000000001A710000-0x000000001A718000-memory.dmp

Filesize
32KB

Download
memory/1492-24-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1492-25-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1492-34-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1492-13-0x0000000000C20000-0x0000000000C2A000-memory.dmp

Filesize
40KB

Download
memory/1492-48-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1492-56-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1492-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/1492-62-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1492-11-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/1492-1-0x0000000000DD0000-0x0000000000F4E000-memory.dmp

Filesize
1.5MB

Download
memory/1492-10-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/1492-2-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1492-3-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/1492-9-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/1492-8-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/1492-4-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/1492-5-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/1492-14-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/1492-7-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2012-78-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2152-94-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2152-93-0x0000000000E20000-0x0000000000F9E000-memory.dmp

Filesize
1.5MB

Download
memory/2344-82-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/2344-81-0x0000000000E10000-0x0000000000F8E000-memory.dmp

Filesize
1.5MB

Download
memory/2500-152-0x0000000001190000-0x000000000130E000-memory.dmp

Filesize
1.5MB

Download
memory/2508-140-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2816-117-0x0000000000E30000-0x0000000000FAE000-memory.dmp

Filesize
1.5MB

Download