dcrat | 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Size

827KB
MD5

c847a23633e81d799fba45bde7cc9951
SHA1

090035126cabb2fb574175c271097042025202de
SHA256

18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c
SHA512

6b057e15133fe58bc1d105a90b761d2f3558e8a8d3a901d9892905dd75f6be569a4bff4a02d919623305c4d524d96b7f902ef3dded6782cc237b1a47807f34bb
SSDEEP

12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 38 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2964	schtasks.exe
		2320	schtasks.exe
		2256	schtasks.exe
		980	schtasks.exe
		1480	schtasks.exe
		2940	schtasks.exe
		2972	schtasks.exe
		936	schtasks.exe
File created	C:\Windows\Registration\CRMLog\dwm.exe		18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
		2004	schtasks.exe
		1980	schtasks.exe
		2288	schtasks.exe
		1768	schtasks.exe
		2188	schtasks.exe
File created	C:\Windows\Registration\CRMLog\6cb0b6c459d5d3		18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
		2572	schtasks.exe
		1840	schtasks.exe
		2656	schtasks.exe
		1428	schtasks.exe
		444	schtasks.exe
		2992	schtasks.exe
		2632	schtasks.exe
		1776	schtasks.exe
		2796	schtasks.exe
		2012	schtasks.exe
		1976	schtasks.exe
		2604	schtasks.exe
		2616	schtasks.exe
		1816	schtasks.exe
		1500	schtasks.exe
		2752	schtasks.exe
		2108	schtasks.exe
		1968	schtasks.exe
		2928	schtasks.exe
		2056	schtasks.exe
		2104	schtasks.exe
		2224	schtasks.exe
		2000	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\sppsvc.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\WmiPrvSE.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\sppsvc.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\", \"C:\\Windows\\System32\\LogFiles\\AIT\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\sppsvc.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\", \"C:\\Windows\\System32\\LogFiles\\AIT\\dllhost.exe\", \"C:\\Windows\\it-IT\\lsm.exe\", \"C:\\Windows\\Cursors\\WmiPrvSE.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\sppsvc.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\", \"C:\\Windows\\System32\\LogFiles\\AIT\\dllhost.exe\", \"C:\\Windows\\it-IT\\lsm.exe\", \"C:\\Windows\\Cursors\\WmiPrvSE.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\csrss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\sppsvc.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\sppsvc.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\", \"C:\\Windows\\System32\\LogFiles\\AIT\\dllhost.exe\", \"C:\\Windows\\it-IT\\lsm.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\sppsvc.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\", \"C:\\Windows\\System32\\LogFiles\\AIT\\dllhost.exe\", \"C:\\Windows\\it-IT\\lsm.exe\", \"C:\\Windows\\Cursors\\WmiPrvSE.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\sppsvc.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\", \"C:\\Windows\\System32\\LogFiles\\AIT\\dllhost.exe\", \"C:\\Windows\\it-IT\\lsm.exe\", \"C:\\Windows\\Cursors\\WmiPrvSE.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\sppsvc.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\", \"C:\\Windows\\System32\\LogFiles\\AIT\\dllhost.exe\", \"C:\\Windows\\it-IT\\lsm.exe\", \"C:\\Windows\\Cursors\\WmiPrvSE.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\winlogon.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Registration\\CRMLog\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\sppsvc.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2792	schtasks.exe	31

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2396-1-0x0000000000180000-0x0000000000256000-memory.dmp	dcrat
behavioral1/files/0x00060000000174f8-11.dat	dcrat
behavioral1/memory/1032-35-0x0000000000D20000-0x0000000000DF6000-memory.dmp	dcrat
behavioral1/memory/560-42-0x00000000010E0000-0x00000000011B6000-memory.dmp	dcrat
behavioral1/memory/1628-49-0x0000000000130000-0x0000000000206000-memory.dmp	dcrat
behavioral1/memory/2680-56-0x0000000000B30000-0x0000000000C06000-memory.dmp	dcrat
behavioral1/memory/3052-69-0x0000000001100000-0x00000000011D6000-memory.dmp	dcrat
behavioral1/memory/2388-76-0x00000000012D0000-0x00000000013A6000-memory.dmp	dcrat
behavioral1/memory/2680-107-0x0000000000350000-0x0000000000426000-memory.dmp	dcrat

Executes dropped EXE 12 IoCs

pid	Process
1032	lsm.exe
560	lsm.exe
1628	lsm.exe
2680	lsm.exe
3044	lsm.exe
3052	lsm.exe
2388	lsm.exe
1140	lsm.exe
784	lsm.exe
1936	lsm.exe
1572	lsm.exe
2680	lsm.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Registration\\CRMLog\\dwm.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\sppsvc.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\WmiPrvSE.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\LogFiles\\AIT\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\LogFiles\\AIT\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\it-IT\\lsm.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\Cursors\\WmiPrvSE.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Mail\\it-IT\\winlogon.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\WmiPrvSE.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\csrss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Mail\\it-IT\\winlogon.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Registration\\CRMLog\\dwm.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\csrss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\sppsvc.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\it-IT\\lsm.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\Cursors\\WmiPrvSE.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Uninstall Information\\dwm.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
19	pastebin.com
23	pastebin.com
25	pastebin.com
4	pastebin.com
9	pastebin.com
11	pastebin.com
13	pastebin.com
15	pastebin.com
17	pastebin.com
21	pastebin.com
7	pastebin.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\LogFiles\AIT\dllhost.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
File created	C:\Windows\System32\LogFiles\AIT\5940a34987c991	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\6cb0b6c459d5d3	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\winlogon.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\cc11b995f2a76d	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\sppsvc.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\0a1fd5f707cd16	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
File created	C:\Program Files (x86)\Uninstall Information\dwm.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\6cb0b6c459d5d3	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
File created	C:\Windows\it-IT\lsm.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
File created	C:\Windows\it-IT\101b941d020240	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
File created	C:\Windows\Cursors\WmiPrvSE.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
File created	C:\Windows\Cursors\24dbde2999530e	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
File created	C:\Windows\Registration\CRMLog\dwm.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
File opened for modification	C:\Windows\Registration\CRMLog\dwm.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2572	schtasks.exe
1428	schtasks.exe
2000	schtasks.exe
2972	schtasks.exe
1980	schtasks.exe
2656	schtasks.exe
2004	schtasks.exe
2256	schtasks.exe
1840	schtasks.exe
2288	schtasks.exe
1976	schtasks.exe
2992	schtasks.exe
2632	schtasks.exe
1500	schtasks.exe
1480	schtasks.exe
1776	schtasks.exe
2940	schtasks.exe
2752	schtasks.exe
2796	schtasks.exe
2012	schtasks.exe
1968	schtasks.exe
444	schtasks.exe
2320	schtasks.exe
1816	schtasks.exe
2616	schtasks.exe
2108	schtasks.exe
2964	schtasks.exe
2928	schtasks.exe
1768	schtasks.exe
2188	schtasks.exe
2056	schtasks.exe
2104	schtasks.exe
2604	schtasks.exe
980	schtasks.exe
2224	schtasks.exe
936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2396	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
2396	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
2396	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
1032	lsm.exe
560	lsm.exe
1628	lsm.exe
2680	lsm.exe
3044	lsm.exe
3052	lsm.exe
2388	lsm.exe
1140	lsm.exe
784	lsm.exe
1936	lsm.exe
1572	lsm.exe
2680	lsm.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
Token: SeDebugPrivilege	1032	lsm.exe
Token: SeDebugPrivilege	560	lsm.exe
Token: SeDebugPrivilege	1628	lsm.exe
Token: SeDebugPrivilege	2680	lsm.exe
Token: SeDebugPrivilege	3044	lsm.exe
Token: SeDebugPrivilege	3052	lsm.exe
Token: SeDebugPrivilege	2388	lsm.exe
Token: SeDebugPrivilege	1140	lsm.exe
Token: SeDebugPrivilege	784	lsm.exe
Token: SeDebugPrivilege	1936	lsm.exe
Token: SeDebugPrivilege	1572	lsm.exe
Token: SeDebugPrivilege	2680	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2380	2396	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe	68
PID 2396 wrote to memory of 2380	2396	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe	68
PID 2396 wrote to memory of 2380	2396	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe	68
PID 2380 wrote to memory of 1304	2380	cmd.exe	70
PID 2380 wrote to memory of 1304	2380	cmd.exe	70
PID 2380 wrote to memory of 1304	2380	cmd.exe	70
PID 2380 wrote to memory of 1032	2380	cmd.exe	71
PID 2380 wrote to memory of 1032	2380	cmd.exe	71
PID 2380 wrote to memory of 1032	2380	cmd.exe	71
PID 1032 wrote to memory of 1700	1032	lsm.exe	72
PID 1032 wrote to memory of 1700	1032	lsm.exe	72
PID 1032 wrote to memory of 1700	1032	lsm.exe	72
PID 1700 wrote to memory of 1052	1700	cmd.exe	74
PID 1700 wrote to memory of 1052	1700	cmd.exe	74
PID 1700 wrote to memory of 1052	1700	cmd.exe	74
PID 1700 wrote to memory of 560	1700	cmd.exe	75
PID 1700 wrote to memory of 560	1700	cmd.exe	75
PID 1700 wrote to memory of 560	1700	cmd.exe	75
PID 560 wrote to memory of 2116	560	lsm.exe	76
PID 560 wrote to memory of 2116	560	lsm.exe	76
PID 560 wrote to memory of 2116	560	lsm.exe	76
PID 2116 wrote to memory of 1224	2116	cmd.exe	78
PID 2116 wrote to memory of 1224	2116	cmd.exe	78
PID 2116 wrote to memory of 1224	2116	cmd.exe	78
PID 2116 wrote to memory of 1628	2116	cmd.exe	79
PID 2116 wrote to memory of 1628	2116	cmd.exe	79
PID 2116 wrote to memory of 1628	2116	cmd.exe	79
PID 1628 wrote to memory of 2844	1628	lsm.exe	80
PID 1628 wrote to memory of 2844	1628	lsm.exe	80
PID 1628 wrote to memory of 2844	1628	lsm.exe	80
PID 2844 wrote to memory of 3008	2844	cmd.exe	82
PID 2844 wrote to memory of 3008	2844	cmd.exe	82
PID 2844 wrote to memory of 3008	2844	cmd.exe	82
PID 2844 wrote to memory of 2680	2844	cmd.exe	83
PID 2844 wrote to memory of 2680	2844	cmd.exe	83
PID 2844 wrote to memory of 2680	2844	cmd.exe	83
PID 2680 wrote to memory of 2256	2680	lsm.exe	84
PID 2680 wrote to memory of 2256	2680	lsm.exe	84
PID 2680 wrote to memory of 2256	2680	lsm.exe	84
PID 2256 wrote to memory of 2168	2256	cmd.exe	86
PID 2256 wrote to memory of 2168	2256	cmd.exe	86
PID 2256 wrote to memory of 2168	2256	cmd.exe	86
PID 2256 wrote to memory of 3044	2256	cmd.exe	87
PID 2256 wrote to memory of 3044	2256	cmd.exe	87
PID 2256 wrote to memory of 3044	2256	cmd.exe	87
PID 3044 wrote to memory of 2820	3044	lsm.exe	88
PID 3044 wrote to memory of 2820	3044	lsm.exe	88
PID 3044 wrote to memory of 2820	3044	lsm.exe	88
PID 2820 wrote to memory of 3016	2820	cmd.exe	90
PID 2820 wrote to memory of 3016	2820	cmd.exe	90
PID 2820 wrote to memory of 3016	2820	cmd.exe	90
PID 2820 wrote to memory of 3052	2820	cmd.exe	91
PID 2820 wrote to memory of 3052	2820	cmd.exe	91
PID 2820 wrote to memory of 3052	2820	cmd.exe	91
PID 3052 wrote to memory of 988	3052	lsm.exe	92
PID 3052 wrote to memory of 988	3052	lsm.exe	92
PID 3052 wrote to memory of 988	3052	lsm.exe	92
PID 988 wrote to memory of 476	988	cmd.exe	94
PID 988 wrote to memory of 476	988	cmd.exe	94
PID 988 wrote to memory of 476	988	cmd.exe	94
PID 988 wrote to memory of 2388	988	cmd.exe	95
PID 988 wrote to memory of 2388	988	cmd.exe	95
PID 988 wrote to memory of 2388	988	cmd.exe	95
PID 2388 wrote to memory of 2776	2388	lsm.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe
"C:\Users\Admin\AppData\Local\Temp\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g06dQqhnlz.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1304
- - C:\Windows\it-IT\lsm.exe
    "C:\Windows\it-IT\lsm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1052
    - - C:\Windows\it-IT\lsm.exe
        
        "C:\Windows\it-IT\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1224
        
        C:\Windows\it-IT\lsm.exe
        
        "C:\Windows\it-IT\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3008
        
        C:\Windows\it-IT\lsm.exe
        
        "C:\Windows\it-IT\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2168
        
        C:\Windows\it-IT\lsm.exe
        
        "C:\Windows\it-IT\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3016
        
        C:\Windows\it-IT\lsm.exe
        
        "C:\Windows\it-IT\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:476
        
        C:\Windows\it-IT\lsm.exe
        
        "C:\Windows\it-IT\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"
        16⤵
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2396
        
        C:\Windows\it-IT\lsm.exe
        
        "C:\Windows\it-IT\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat"
        18⤵
        
        PID:352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1724
        
        C:\Windows\it-IT\lsm.exe
        
        "C:\Windows\it-IT\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat"
        20⤵
        
        PID:612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:300
        
        C:\Windows\it-IT\lsm.exe
        
        "C:\Windows\it-IT\lsm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat"
        22⤵
        
        PID:2712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2204
        
        C:\Windows\it-IT\lsm.exe
        
        "C:\Windows\it-IT\lsm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGj9C4kLBH.bat"
        24⤵
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2428
        
        C:\Windows\it-IT\lsm.exe
        
        "C:\Windows\it-IT\lsm.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\LogFiles\AIT\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\LogFiles\AIT\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\LogFiles\AIT\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe

Filesize
827KB

MD5
c847a23633e81d799fba45bde7cc9951

SHA1
090035126cabb2fb574175c271097042025202de

SHA256
18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c

SHA512
6b057e15133fe58bc1d105a90b761d2f3558e8a8d3a901d9892905dd75f6be569a4bff4a02d919623305c4d524d96b7f902ef3dded6782cc237b1a47807f34bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat

Filesize
189B

MD5
d9cae42767e8c798ef197061d02cddaf

SHA1
26a2acc42d0e6ca3a8d737a13c96961f1b6be82d

SHA256
addcea8b63008047994ad04e5e07e1f9591ac013fb24b5d67ee66e6e31c31b28

SHA512
6cf4028023fb37bcde10b8dcd3df42914b915124b72ca692bc3b2219e6b0e512bb4acb20fc80292fa53138091e685c2938f51339ce153d1bb3c5ffaea2fd3154

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat

Filesize
189B

MD5
17793880b846db62ab1fb2df83695a59

SHA1
0d8d01dab8502326eaf0a5bfc0ac03aa04a51969

SHA256
aaa9710c5bba9cb43943ef48287c11179222a95b6641abdc57394a9688008b62

SHA512
3903af30819be0309110b688abca4be3dd27e590431b915dc06f16fe2a20e0f0bb04244c8e4ab63a023d8f5ff44b935030425b5194d85e6795e4cde1626cb851

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat

Filesize
189B

MD5
94209fc2a25cb1325b204977ecad325c

SHA1
e3c64c525bdf3f9c2d254fbcdd34eb1b6bdd1d18

SHA256
40ca0f38491f398b02106bce79b60b31521d94eef8a2cb6784859b68ac0965e8

SHA512
c1e3dbe30f5b73fc527889a436a7ab22bcb63bd598dd2d6a840baa57021b30776f958449d74f2c73b44933baaaf360236aeab4c8c7261c2acbc74ec97113f3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat

Filesize
189B

MD5
d3acb9dd3e40884d0a512350ac73f32c

SHA1
8821ed4ee3f6d52656394f074a43a2138b3d9ed5

SHA256
546d2a0a797b7e8d39bdf8df9be00d001bceb3b055a6d83c818cbd346f81b911

SHA512
5446581f293178eea1e6541635663c3d7a10aa879e4eac1fa09d9c45b3cf1ebd7b2782b2481c724d466cd89a52fab327a76a66bd3360c3156eefcded1722a4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat

Filesize
189B

MD5
39faaad1802b66b1484e7726ce784741

SHA1
29dac8eb182309c3722b244c3c2cfd5ea589faaa

SHA256
edf9cdc1735f2e93dbdcf94bcbf560031b9ee9e5f04ae64585245e0e1bed5778

SHA512
4cb59a5fbeb9665ea5f83b8e1841d5bdb716b8fbd12cde423532d14843360eb5362f5584d50a54cb2a822d02ce7138d4c8ce2dd953ecddf10a1754192e89169f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat

Filesize
189B

MD5
5bc1e1774e27b23b718f0ae581c86322

SHA1
dea1b665534c2155ccdbdaa45b1dc43724abba2a

SHA256
41e8dc472ba16c23a33157b20dff8b8c4bfaf4ed1828e9c3f0b3f32b7a9ae9e2

SHA512
e2b56411ffcbf684d3d75102b7b7c19230f9a2194f30d18855dee8459265af899852553e7d119fd849ab2462263208d42e8731423d0e85853be161048a985ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat

Filesize
189B

MD5
c384dbc80691f74a3008f46a056c2f7c

SHA1
b32c406880bf431ac63d29ab30240530c07ffd69

SHA256
cae30d9d0b1ef8921cb4087061a9e853063e0c0781161e689d52c9c63c2ad8b1

SHA512
aab727264f83c447c030eb12450804fa98ceeccf8c63775ddd19018b810b61f396ce505a5ac842598eace920170ede69d509cd13333cea275cd3a23f281c4743

Download Submit
C:\Users\Admin\AppData\Local\Temp\g06dQqhnlz.bat

Filesize
189B

MD5
eab3482dd28d9d0a9b741ab75babadd0

SHA1
8f68d20ee92c2d29f1c7cdb8e9ebef275c02c26c

SHA256
8931c2952b366a7ab0bd33331ca737e6970fa271644c32b8ca3b8dbe30796da7

SHA512
f044f9c90ca988c6816fc551a773e9ec616d4dba81978217d342248bcfec66a7e5aba0945b74b9a87d7e1cea3fc3a618198dc34c3874b4e5ecdeae6c5f6d756d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGj9C4kLBH.bat

Filesize
189B

MD5
79c25d8e743c7c9c3c50daf973442433

SHA1
2aaff91274d22ed270fabbb8bb112c0a3c720fcf

SHA256
d52d7f2efd0ba314f01431c6c37a94185818e72117b162d95b8f2e02b2b8b7d4

SHA512
e4c1d4f1811707a5cf017c69678e63eb9a4e226267e909b61ec81bd387e98bca2c4d2e0c70dd38d2d2635724788fbe01be5b86bfe7e302c9f572753e59876bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat

Filesize
189B

MD5
34ab51e9bddcf48a701c1d19389d415d

SHA1
1c7125ed3c9ab4c9ed45dafcc71489750b5be271

SHA256
ffa590c8147a5a958b0caf68a75f106f76fd7fb51088f8c18b8675d1fe5cb61a

SHA512
3e998d6c8297072d729754c6dd92c865c7106e6cb2d06e937c0bae5d863aedabee9f85fbc7cca4fbd514d956f38c2d3a2b002bc8930e851ee0be4d9c5ca79c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat

Filesize
189B

MD5
39ecaf4529297a2fb7cc2f909b8a05f5

SHA1
fb86e511a6e6f019e687845ab9282cb06d440a9b

SHA256
6083b78ae5299572325b54706a94e8780cca5b6924ab98b307755505fd0c6233

SHA512
de429d4bf04fd9f57eaccd7fa786f7e008ff8f4a01f1bafdd68ad8703d86735260e5148eb8350961eaee1398224ea053254261b53cd70f630d410d8e215ced10

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat

Filesize
189B

MD5
6a134bf32ffe74bb64501e9ea86dc218

SHA1
2e9d6720031af23a998a3e52cecb60ce7fb61221

SHA256
460c24006089782c29307c609e164284852e48d27657ae9a1f22371cd54fdb86

SHA512
ac8bda56757071e76b1cf022891368afccf7491b31d0c2c4183939fa492d6b8c805b065bcdcd317becb45fb30556a2d613af78d0360a4ed622958093862f83d1

Download Submit
memory/560-42-0x00000000010E0000-0x00000000011B6000-memory.dmp

Filesize
856KB

Download
memory/1032-35-0x0000000000D20000-0x0000000000DF6000-memory.dmp

Filesize
856KB

Download
memory/1628-49-0x0000000000130000-0x0000000000206000-memory.dmp

Filesize
856KB

Download
memory/2388-76-0x00000000012D0000-0x00000000013A6000-memory.dmp

Filesize
856KB

Download
memory/2396-0-0x000007FEF51C3000-0x000007FEF51C4000-memory.dmp

Filesize
4KB

Download
memory/2396-31-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-2-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-1-0x0000000000180000-0x0000000000256000-memory.dmp

Filesize
856KB

Download
memory/2680-56-0x0000000000B30000-0x0000000000C06000-memory.dmp

Filesize
856KB

Download
memory/2680-107-0x0000000000350000-0x0000000000426000-memory.dmp

Filesize
856KB

Download
memory/3052-69-0x0000000001100000-0x00000000011D6000-memory.dmp

Filesize
856KB

Download