dcrat | 74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

812ac1ea0b1d66a93d0beca70cc28cbe.exe
Size

2.2MB
MD5

812ac1ea0b1d66a93d0beca70cc28cbe
SHA1

c5cff3dc9a2503521de74a7d4cda2f678f5bb575
SHA256

74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3
SHA512

01acc3b99130f0d263917e4e362caf25841b21e3a9a82ce40004db96239ebcc8762a57ebad020ed704213596a100d060475cd9fd61c5bd4df9a35ff14d4cc6f6
SSDEEP

49152:K31tZUmbFNH1wLJDPqTo9lIS/MXU2F4/1l5eQ7K6:KltZUE6NDyTo9lv2F+VvK6

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 55 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		996	schtasks.exe
		316	schtasks.exe
		2528	schtasks.exe
		1896	schtasks.exe
		1932	schtasks.exe
		1088	schtasks.exe
		1760	schtasks.exe
		2812	schtasks.exe
		2364	schtasks.exe
		1360	schtasks.exe
		2708	schtasks.exe
		2300	schtasks.exe
		1872	schtasks.exe
		2004	schtasks.exe
		2876	schtasks.exe
		2384	schtasks.exe
		3012	schtasks.exe
		2580	schtasks.exe
		1712	schtasks.exe
		412	schtasks.exe
		1280	schtasks.exe
		2716	schtasks.exe
		2584	schtasks.exe
		1276	schtasks.exe
		1624	schtasks.exe
		2064	schtasks.exe
		744	schtasks.exe
		2984	schtasks.exe
		912	schtasks.exe
		1592	schtasks.exe
		1496	schtasks.exe
		1800	schtasks.exe
		1076	schtasks.exe
		1684	schtasks.exe
		2088	schtasks.exe
		1188	schtasks.exe
		2904	schtasks.exe
		992	schtasks.exe
		1728	schtasks.exe
		1268	schtasks.exe
		1476	schtasks.exe
		1424	schtasks.exe
		1640	schtasks.exe
		1548	schtasks.exe
		2192	schtasks.exe
		2172	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		812ac1ea0b1d66a93d0beca70cc28cbe.exe
		2820	schtasks.exe
		3052	schtasks.exe
		3008	schtasks.exe
		1748	schtasks.exe
		3020	schtasks.exe
		856	schtasks.exe
		2028	schtasks.exe
		680	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\services.exe\", \"C:\\Program Files\\Windows Media Player\\winlogon.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\services.exe\", \"C:\\Program Files\\Windows Media Player\\winlogon.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\System.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Admin\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\spoolsv.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\services.exe\", \"C:\\Program Files\\Windows Media Player\\winlogon.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\System.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Admin\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\spoolsv.exe\", \"C:\\Users\\All Users\\winlogon.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\WmiPrvSE.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\services.exe\", \"C:\\Program Files\\Windows Media Player\\winlogon.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\services.exe\", \"C:\\Program Files\\Windows Media Player\\winlogon.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\System.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\services.exe\", \"C:\\Program Files\\Windows Media Player\\winlogon.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\System.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Admin\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\spoolsv.exe\", \"C:\\Users\\All Users\\winlogon.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\OSPPSVC.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\services.exe\", \"C:\\Program Files\\Windows Media Player\\winlogon.exe\", \"C:\\Users\\Default User\\csrss.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\services.exe\", \"C:\\Program Files\\Windows Media Player\\winlogon.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\System.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Admin\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\spoolsv.exe\", \"C:\\Users\\All Users\\winlogon.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\services.exe\", \"C:\\Program Files\\Windows Media Player\\winlogon.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\System.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Admin\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\spoolsv.exe\", \"C:\\Users\\All Users\\winlogon.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\explorer.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\services.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\services.exe\", \"C:\\Program Files\\Windows Media Player\\winlogon.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\services.exe\", \"C:\\Program Files\\Windows Media Player\\winlogon.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\System.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Users\\Admin\\dwm.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\services.exe\", \"C:\\Program Files\\Windows Media Player\\winlogon.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\System.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2756	schtasks.exe	31

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1840-1-0x0000000000120000-0x000000000034E000-memory.dmp	dcrat
behavioral1/files/0x00050000000193c4-38.dat	dcrat
behavioral1/files/0x000800000001942f-103.dat	dcrat
behavioral1/files/0x0010000000019401-212.dat	dcrat
behavioral1/memory/932-282-0x0000000000100000-0x000000000032E000-memory.dmp	dcrat
behavioral1/memory/3024-293-0x0000000000350000-0x000000000057E000-memory.dmp	dcrat
behavioral1/files/0x0007000000019c4a-297.dat	dcrat
behavioral1/memory/1968-305-0x00000000009B0000-0x0000000000BDE000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	812ac1ea0b1d66a93d0beca70cc28cbe.exe

Executes dropped EXE 3 IoCs

pid	Process
932	System.exe
3024	System.exe
1968	System.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft Office\\Templates\\spoolsv.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\OSPPSVC.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Media Player\\winlogon.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\Templates\\services.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Uninstall Information\\csrss.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Uninstall Information\\csrss.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\System.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Admin\\dwm.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\OSPPSVC.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\explorer.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\winlogon.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\WmiPrvSE.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Admin\\dwm.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\WmiPrvSE.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\System.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\explorer.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Media Player\\winlogon.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\Templates\\services.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\winlogon.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default\\Start Menu\\audiodg.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft Office\\Templates\\spoolsv.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Public\\Recorded TV\\spoolsv.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default\\Start Menu\\audiodg.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\csrss.exe\""	812ac1ea0b1d66a93d0beca70cc28cbe.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	812ac1ea0b1d66a93d0beca70cc28cbe.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\RCX6C0.tmp	812ac1ea0b1d66a93d0beca70cc28cbe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\spoolsv.exe	812ac1ea0b1d66a93d0beca70cc28cbe.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\f3b6ecef712a24	812ac1ea0b1d66a93d0beca70cc28cbe.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXF814.tmp	812ac1ea0b1d66a93d0beca70cc28cbe.exe
File created	C:\Program Files\Uninstall Information\886983d96e3d3e	812ac1ea0b1d66a93d0beca70cc28cbe.exe
File opened for modification	C:\Program Files\Uninstall Information\csrss.exe	812ac1ea0b1d66a93d0beca70cc28cbe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\RCX6BF.tmp	812ac1ea0b1d66a93d0beca70cc28cbe.exe
File created	C:\Program Files\Windows Media Player\cc11b995f2a76d	812ac1ea0b1d66a93d0beca70cc28cbe.exe
File created	C:\Program Files\Uninstall Information\csrss.exe	812ac1ea0b1d66a93d0beca70cc28cbe.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXFC1E.tmp	812ac1ea0b1d66a93d0beca70cc28cbe.exe
File created	C:\Program Files\Windows Media Player\winlogon.exe	812ac1ea0b1d66a93d0beca70cc28cbe.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\spoolsv.exe	812ac1ea0b1d66a93d0beca70cc28cbe.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXFC1D.tmp	812ac1ea0b1d66a93d0beca70cc28cbe.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXF813.tmp	812ac1ea0b1d66a93d0beca70cc28cbe.exe
File opened for modification	C:\Program Files\Windows Media Player\winlogon.exe	812ac1ea0b1d66a93d0beca70cc28cbe.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\services.exe	812ac1ea0b1d66a93d0beca70cc28cbe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
992	schtasks.exe
1684	schtasks.exe
1748	schtasks.exe
912	schtasks.exe
1076	schtasks.exe
1592	schtasks.exe
1280	schtasks.exe
1800	schtasks.exe
2528	schtasks.exe
3008	schtasks.exe
1760	schtasks.exe
1360	schtasks.exe
3020	schtasks.exe
1640	schtasks.exe
1476	schtasks.exe
2984	schtasks.exe
1932	schtasks.exe
1424	schtasks.exe
1496	schtasks.exe
2088	schtasks.exe
1188	schtasks.exe
856	schtasks.exe
2384	schtasks.exe
744	schtasks.exe
2064	schtasks.exe
1624	schtasks.exe
1728	schtasks.exe
2192	schtasks.exe
680	schtasks.exe
2172	schtasks.exe
2876	schtasks.exe
2708	schtasks.exe
412	schtasks.exe
3052	schtasks.exe
1712	schtasks.exe
2364	schtasks.exe
1268	schtasks.exe
2300	schtasks.exe
3012	schtasks.exe
2716	schtasks.exe
2904	schtasks.exe
2820	schtasks.exe
2812	schtasks.exe
996	schtasks.exe
1548	schtasks.exe
2584	schtasks.exe
1872	schtasks.exe
1896	schtasks.exe
2004	schtasks.exe
2028	schtasks.exe
1088	schtasks.exe
316	schtasks.exe
2580	schtasks.exe
1276	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
932	System.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Token: SeDebugPrivilege	932	System.exe
Token: SeDebugPrivilege	3024	System.exe
Token: SeDebugPrivilege	1968	System.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 932	1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe	86
PID 1840 wrote to memory of 932	1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe	86
PID 1840 wrote to memory of 932	1840	812ac1ea0b1d66a93d0beca70cc28cbe.exe	86
PID 932 wrote to memory of 2144	932	System.exe	87
PID 932 wrote to memory of 2144	932	System.exe	87
PID 932 wrote to memory of 2144	932	System.exe	87
PID 932 wrote to memory of 488	932	System.exe	88
PID 932 wrote to memory of 488	932	System.exe	88
PID 932 wrote to memory of 488	932	System.exe	88
PID 2144 wrote to memory of 3024	2144	WScript.exe	89
PID 2144 wrote to memory of 3024	2144	WScript.exe	89
PID 2144 wrote to memory of 3024	2144	WScript.exe	89
PID 3024 wrote to memory of 1744	3024	System.exe	90
PID 3024 wrote to memory of 1744	3024	System.exe	90
PID 3024 wrote to memory of 1744	3024	System.exe	90
PID 3024 wrote to memory of 3020	3024	System.exe	91
PID 3024 wrote to memory of 3020	3024	System.exe	91
PID 3024 wrote to memory of 3020	3024	System.exe	91
PID 1744 wrote to memory of 1968	1744	WScript.exe	92
PID 1744 wrote to memory of 1968	1744	WScript.exe	92
PID 1744 wrote to memory of 1968	1744	WScript.exe	92
PID 1968 wrote to memory of 1596	1968	System.exe	93
PID 1968 wrote to memory of 1596	1968	System.exe	93
PID 1968 wrote to memory of 1596	1968	System.exe	93
PID 1968 wrote to memory of 1580	1968	System.exe	94
PID 1968 wrote to memory of 1580	1968	System.exe	94
PID 1968 wrote to memory of 1580	1968	System.exe	94

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	812ac1ea0b1d66a93d0beca70cc28cbe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\812ac1ea0b1d66a93d0beca70cc28cbe.exe
"C:\Users\Admin\AppData\Local\Temp\812ac1ea0b1d66a93d0beca70cc28cbe.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1840
- C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe
  "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:932
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7422bbb-c4cb-421c-99f9-69dc80994971.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe
      C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3024
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29e7b325-e243-4c52-aff7-5bd5fa2ab843.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cc77e00-6949-4289-b959-6f97c10a9458.vbs"
        7⤵
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f630e597-8dd9-4067-a371-10d173a6fdb1.vbs"
        7⤵
        
        PID:1580
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1088a63d-af67-41e0-819f-5eaed9a5a162.vbs"
        5⤵
        
        PID:3020
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eab6d693-c8d1-4d2f-9cd8-b0a1e9180464.vbs"
    3⤵
    PID:488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Start Menu\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Start Menu\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Recorded TV\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Templates\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe

Filesize
2.2MB

MD5
812ac1ea0b1d66a93d0beca70cc28cbe

SHA1
c5cff3dc9a2503521de74a7d4cda2f678f5bb575

SHA256
74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3

SHA512
01acc3b99130f0d263917e4e362caf25841b21e3a9a82ce40004db96239ebcc8762a57ebad020ed704213596a100d060475cd9fd61c5bd4df9a35ff14d4cc6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\29e7b325-e243-4c52-aff7-5bd5fa2ab843.vbs

Filesize
735B

MD5
982c3266ff08d4ace93e1174164bc2a9

SHA1
ce063dd1528130308ec6cd930cc59247c6423d47

SHA256
34ee9b2ebe58ad31016fe115cc835ccee8e8824301515d7a7a900e742673535d

SHA512
d41a06b6262c90f38adee4427da6d1f65c382bb7a00172fc640eaaf086d3a9fa34938dcc3237ac2c73814e5e8a1eb26ffb546b8875c43ba80e5e1ed6bef89652

Download Submit
C:\Users\Admin\AppData\Local\Temp\2cc77e00-6949-4289-b959-6f97c10a9458.vbs

Filesize
735B

MD5
437dbafb1a8fd2d76a52434b60d82128

SHA1
a0955977f79db0d90e13c7604de0263bd802130e

SHA256
00a95d9ee28909bfb44a15f4425c28e90ac036cb8be77c347a2d203c89e4a57a

SHA512
27bc370636215014be14149acc0536e0f31afa298a4a3353e4e3c192af6dda917147dd09f04178b112b143f731ef6d46bb6a24961e4df014a55f2eef732b4350

Download Submit
C:\Users\Admin\AppData\Local\Temp\abdfe80f24beaaba513656d863de8817e0acf644.exe

Filesize
2.2MB

MD5
87ae6a5202025ba43bcef7d59045e869

SHA1
1b2b8d62f7bae583cbcd670af5c712cd8802eaec

SHA256
352676b88a76eb6cdb1275553d2a9e8113389319b821d8ccc69df613232069d6

SHA512
d5a4007248673a9821dfe372c9cf40b8f9601b0e47dcdc5c9a34f967a81d03b2f7b45ffa67e6c56f08a4c0e4074bde0be38911820bb762835f8e9bc16da2b330

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7422bbb-c4cb-421c-99f9-69dc80994971.vbs

Filesize
734B

MD5
cf046e01b72451ad4c3535ca46c34835

SHA1
c92305c6d385923bcb76f4a0b64b49d7af3fbed9

SHA256
f5df64c12e529d64a6ea27d22c08f3de5773b6949e3ced98778933c9bc56a3d9

SHA512
4684f0aa0e41ddb6ebe2f3260835acca15e5c82cf88b6a6d6538260203bccb1d1e7db7344d9c490ea11bb71d1d3fab135b587d812fb770c5cb6bc8d08a3d2b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\eab6d693-c8d1-4d2f-9cd8-b0a1e9180464.vbs

Filesize
511B

MD5
60783f771bfc69ea37537671101360b2

SHA1
b11174b44749b68deb95017cfe95ee718d6d3487

SHA256
ea774ca96692334a3736c004fe0b84f25483db553d694e34276407c86acf2091

SHA512
66f9ae5325a0f6f6d5b88aa4b0fade0b9bcd1f8d2bdf61762f5f838f452c0c52fe8b02b95ff22550c8a741002eb9c4a7cd5ac6ec5d939384782b03c9886cd3f2

Download Submit
C:\Users\Admin\dwm.exe

Filesize
2.2MB

MD5
d34e4f4ec968b0a7ca28692ba4a9dbab

SHA1
368ef0ee5200f0914d8dc3299fb8ca22f17640f0

SHA256
1df0d1dffba58322d35969734d2d2b3b2867142f1983a1ebd7489ff670e336d6

SHA512
7904f62aa91011d62dfd43ab8a98b2e39bf9a52a90738fa199a167bd965e7ea351054a7129f18d01d16dd8b165bff542b46e037c88cd2fd649407a7bdc8193c7

Download Submit
C:\Users\Public\Recorded TV\spoolsv.exe

Filesize
2.2MB

MD5
e811f446ecc7461f2b74219c231a5e16

SHA1
9d17d876b7b3cf35a00d02a7f103144411b9916c

SHA256
000efac19d6735bcfd7673911394853fbd6dd53d988709364e4a935bad61d35f

SHA512
74ba7c5e8382c12fa5185c88fb98e5b8e1cae85194f8e2aa08289c1ceb7bc087abad023ffd2096e847201ab4f267bf37247799980f35578add1bae43d8f35a15

Download Submit
memory/932-282-0x0000000000100000-0x000000000032E000-memory.dmp

Filesize
2.2MB

Download
memory/1840-23-0x0000000000930000-0x000000000093E000-memory.dmp

Filesize
56KB

Download
memory/1840-27-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/1840-11-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/1840-12-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/1840-13-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/1840-14-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/1840-15-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/1840-16-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/1840-18-0x00000000006B0000-0x00000000006C2000-memory.dmp

Filesize
72KB

Download
memory/1840-19-0x00000000006E0000-0x00000000006EC000-memory.dmp

Filesize
48KB

Download
memory/1840-20-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/1840-21-0x0000000000910000-0x000000000091C000-memory.dmp

Filesize
48KB

Download
memory/1840-22-0x0000000000920000-0x000000000092A000-memory.dmp

Filesize
40KB

Download
memory/1840-0-0x000007FEF6513000-0x000007FEF6514000-memory.dmp

Filesize
4KB

Download
memory/1840-25-0x0000000000950000-0x000000000095E000-memory.dmp

Filesize
56KB

Download
memory/1840-24-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/1840-26-0x0000000000960000-0x000000000096C000-memory.dmp

Filesize
48KB

Download
memory/1840-10-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/1840-28-0x0000000000980000-0x000000000098C000-memory.dmp

Filesize
48KB

Download
memory/1840-29-0x000007FEF6510000-0x000007FEF6EFC000-memory.dmp

Filesize
9.9MB

Download
memory/1840-9-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/1840-8-0x0000000000510000-0x0000000000526000-memory.dmp

Filesize
88KB

Download
memory/1840-203-0x000007FEF6513000-0x000007FEF6514000-memory.dmp

Filesize
4KB

Download
memory/1840-7-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1840-226-0x000007FEF6510000-0x000007FEF6EFC000-memory.dmp

Filesize
9.9MB

Download
memory/1840-249-0x000007FEF6510000-0x000007FEF6EFC000-memory.dmp

Filesize
9.9MB

Download
memory/1840-281-0x000007FEF6510000-0x000007FEF6EFC000-memory.dmp

Filesize
9.9MB

Download
memory/1840-6-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/1840-5-0x0000000000490000-0x00000000004AC000-memory.dmp

Filesize
112KB

Download
memory/1840-4-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/1840-1-0x0000000000120000-0x000000000034E000-memory.dmp

Filesize
2.2MB

Download
memory/1840-3-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/1840-2-0x000007FEF6510000-0x000007FEF6EFC000-memory.dmp

Filesize
9.9MB

Download
memory/1968-305-0x00000000009B0000-0x0000000000BDE000-memory.dmp

Filesize
2.2MB

Download
memory/3024-293-0x0000000000350000-0x000000000057E000-memory.dmp

Filesize
2.2MB

Download