dcrat | ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff

Resubmissions

13/01/2025, 06:01

250113-gqyq5syqex 10

12/01/2025, 22:40

250112-2ll7rsvqek 10

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
12/01/2025, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Size

1.5MB
MD5

207f37be38ccbb0fe77bda8d4ab69187
SHA1

97a4aa79a700e336ca8450bfbf38d7e18215173b
SHA256

ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff
SHA512

34350185b31d087e3d9027bdaa382497c061d68fd9d30a201d2563598fdaf2ef05dc8f08f27bc13af0303fc5694f2fea997e1ef042168e705cc83c3f23f6c93e
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRK:kzhWhCXQFN+0IEuQgyiVKS

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 9 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2852	schtasks.exe
		2860	schtasks.exe
		2816	schtasks.exe
		2700	schtasks.exe
		2716	schtasks.exe
		2688	schtasks.exe
		2756	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\tzres\f3b6ecef712a24		ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\tzres\\spoolsv.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\tzres\\spoolsv.exe\", \"C:\\ProgramData\\Templates\\smss.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\tzres\\spoolsv.exe\", \"C:\\ProgramData\\Templates\\smss.exe\", \"C:\\Documents and Settings\\services.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\tzres\\spoolsv.exe\", \"C:\\ProgramData\\Templates\\smss.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\PerfLogs\\Admin\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\tzres\\spoolsv.exe\", \"C:\\ProgramData\\Templates\\smss.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\PerfLogs\\Admin\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\smss.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\tzres\\spoolsv.exe\", \"C:\\ProgramData\\Templates\\smss.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\PerfLogs\\Admin\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\smss.exe\", \"C:\\Windows\\System32\\wscsvc\\sppsvc.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\tzres\\spoolsv.exe\", \"C:\\ProgramData\\Templates\\smss.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\PerfLogs\\Admin\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\smss.exe\", \"C:\\Windows\\System32\\wscsvc\\sppsvc.exe\", \"C:\\Documents and Settings\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2972	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2972	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2972	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2972	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2972	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2972	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2972	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1960	powershell.exe
1804	powershell.exe
352	powershell.exe
1384	powershell.exe
1976	powershell.exe
2936	powershell.exe
1280	powershell.exe
1528	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Executes dropped EXE 9 IoCs

pid	Process
2112	smss.exe
584	smss.exe
1956	smss.exe
2868	smss.exe
1472	smss.exe
600	smss.exe
1696	smss.exe
2744	smss.exe
1540	smss.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\tzres\\spoolsv.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PerfLogs\\Admin\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\wscsvc\\sppsvc.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\ProgramData\\Templates\\smss.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PerfLogs\\Admin\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\smss.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\ProgramData\\Templates\\smss.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\smss.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\wscsvc\\sppsvc.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\tzres\\spoolsv.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\wscsvc\RCXC0B6.tmp	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\wscsvc\sppsvc.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\tzres\spoolsv.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\tzres\spoolsv.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\tzres\f3b6ecef712a24	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\wscsvc\sppsvc.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\wscsvc\0a1fd5f707cd16	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\tzres\RCXB5C9.tmp	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\fr-FR\smss.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\69ddcba757bf72	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCXBE45.tmp	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\smss.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2688	schtasks.exe
2756	schtasks.exe
2816	schtasks.exe
2700	schtasks.exe
2852	schtasks.exe
2716	schtasks.exe
2860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
1528	powershell.exe
2936	powershell.exe
352	powershell.exe
1804	powershell.exe
1976	powershell.exe
1960	powershell.exe
1280	powershell.exe
1384	powershell.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
2112	smss.exe
584	smss.exe
584	smss.exe
584	smss.exe
584	smss.exe
584	smss.exe
584	smss.exe
584	smss.exe
584	smss.exe
584	smss.exe
584	smss.exe
584	smss.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	2112	smss.exe
Token: SeDebugPrivilege	584	smss.exe
Token: SeDebugPrivilege	1956	smss.exe
Token: SeDebugPrivilege	2868	smss.exe
Token: SeDebugPrivilege	1472	smss.exe
Token: SeDebugPrivilege	600	smss.exe
Token: SeDebugPrivilege	1696	smss.exe
Token: SeDebugPrivilege	2744	smss.exe
Token: SeDebugPrivilege	1540	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2936	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	38
PID 2132 wrote to memory of 2936	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	38
PID 2132 wrote to memory of 2936	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	38
PID 2132 wrote to memory of 1528	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	39
PID 2132 wrote to memory of 1528	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	39
PID 2132 wrote to memory of 1528	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	39
PID 2132 wrote to memory of 1280	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	40
PID 2132 wrote to memory of 1280	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	40
PID 2132 wrote to memory of 1280	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	40
PID 2132 wrote to memory of 1960	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	42
PID 2132 wrote to memory of 1960	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	42
PID 2132 wrote to memory of 1960	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	42
PID 2132 wrote to memory of 1804	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	43
PID 2132 wrote to memory of 1804	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	43
PID 2132 wrote to memory of 1804	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	43
PID 2132 wrote to memory of 352	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	44
PID 2132 wrote to memory of 352	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	44
PID 2132 wrote to memory of 352	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	44
PID 2132 wrote to memory of 1384	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	45
PID 2132 wrote to memory of 1384	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	45
PID 2132 wrote to memory of 1384	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	45
PID 2132 wrote to memory of 1976	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	46
PID 2132 wrote to memory of 1976	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	46
PID 2132 wrote to memory of 1976	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	46
PID 2132 wrote to memory of 2112	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	54
PID 2132 wrote to memory of 2112	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	54
PID 2132 wrote to memory of 2112	2132	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	54
PID 2112 wrote to memory of 2660	2112	smss.exe	56
PID 2112 wrote to memory of 2660	2112	smss.exe	56
PID 2112 wrote to memory of 2660	2112	smss.exe	56
PID 2112 wrote to memory of 2304	2112	smss.exe	57
PID 2112 wrote to memory of 2304	2112	smss.exe	57
PID 2112 wrote to memory of 2304	2112	smss.exe	57
PID 2660 wrote to memory of 584	2660	WScript.exe	58
PID 2660 wrote to memory of 584	2660	WScript.exe	58
PID 2660 wrote to memory of 584	2660	WScript.exe	58
PID 584 wrote to memory of 2744	584	smss.exe	59
PID 584 wrote to memory of 2744	584	smss.exe	59
PID 584 wrote to memory of 2744	584	smss.exe	59
PID 584 wrote to memory of 1100	584	smss.exe	60
PID 584 wrote to memory of 1100	584	smss.exe	60
PID 584 wrote to memory of 1100	584	smss.exe	60
PID 2744 wrote to memory of 1956	2744	WScript.exe	61
PID 2744 wrote to memory of 1956	2744	WScript.exe	61
PID 2744 wrote to memory of 1956	2744	WScript.exe	61
PID 1956 wrote to memory of 1544	1956	smss.exe	62
PID 1956 wrote to memory of 1544	1956	smss.exe	62
PID 1956 wrote to memory of 1544	1956	smss.exe	62
PID 1956 wrote to memory of 976	1956	smss.exe	63
PID 1956 wrote to memory of 976	1956	smss.exe	63
PID 1956 wrote to memory of 976	1956	smss.exe	63
PID 1544 wrote to memory of 2868	1544	WScript.exe	64
PID 1544 wrote to memory of 2868	1544	WScript.exe	64
PID 1544 wrote to memory of 2868	1544	WScript.exe	64
PID 2868 wrote to memory of 2604	2868	smss.exe	65
PID 2868 wrote to memory of 2604	2868	smss.exe	65
PID 2868 wrote to memory of 2604	2868	smss.exe	65
PID 2868 wrote to memory of 2732	2868	smss.exe	66
PID 2868 wrote to memory of 2732	2868	smss.exe	66
PID 2868 wrote to memory of 2732	2868	smss.exe	66
PID 2604 wrote to memory of 1472	2604	WScript.exe	67
PID 2604 wrote to memory of 1472	2604	WScript.exe	67
PID 2604 wrote to memory of 1472	2604	WScript.exe	67
PID 1472 wrote to memory of 1384	1472	smss.exe	68

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
"C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\tzres\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Templates\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wscsvc\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\ProgramData\Templates\smss.exe
  "C:\ProgramData\Templates\smss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2112
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26a4b328-ed41-4d1c-8bfe-2c43d1ea938c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\ProgramData\Templates\smss.exe
      C:\ProgramData\Templates\smss.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:584
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65a00a36-1a41-434c-8c28-4d01dc167ed9.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\ProgramData\Templates\smss.exe
        
        C:\ProgramData\Templates\smss.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d85c7f8-e89d-4361-8c66-78f1ce5e94be.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\ProgramData\Templates\smss.exe
        
        C:\ProgramData\Templates\smss.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95163a3b-7ed7-44f2-b922-df7b01cf7a64.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\ProgramData\Templates\smss.exe
        
        C:\ProgramData\Templates\smss.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f76f28db-bffc-47a2-b387-811c2cd68991.vbs"
        11⤵
        
        PID:1384
        
        C:\ProgramData\Templates\smss.exe
        
        C:\ProgramData\Templates\smss.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6474c3b9-d580-4382-9e10-d23988110faa.vbs"
        13⤵
        
        PID:3004
        
        C:\ProgramData\Templates\smss.exe
        
        C:\ProgramData\Templates\smss.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50ab4fa0-a108-4523-8ee2-53c273fa7877.vbs"
        15⤵
        
        PID:2704
        
        C:\ProgramData\Templates\smss.exe
        
        C:\ProgramData\Templates\smss.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac7926cb-90f0-4584-ad5f-043921100492.vbs"
        17⤵
        
        PID:2100
        
        C:\ProgramData\Templates\smss.exe
        
        C:\ProgramData\Templates\smss.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53cc3d42-9acc-4fb2-919e-74cbb641d9a0.vbs"
        19⤵
        
        PID:1280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49f0f0f4-b818-4a75-a995-087e8bb5492e.vbs"
        19⤵
        
        PID:620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05636c8f-5ee0-42d6-819a-9540898fd8aa.vbs"
        17⤵
        
        PID:2552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2b37ad5-7aef-41bb-85ae-2d71b3583f78.vbs"
        15⤵
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e3b573d-ccfa-42df-a007-416ed073f903.vbs"
        13⤵
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf333c9f-2c1f-49f2-8c48-c260c8377ffb.vbs"
        11⤵
        
        PID:2044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83821945-5469-4d2b-8e8e-1ef999ef6bd9.vbs"
        9⤵
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26fb9853-42ec-47e0-b2b2-725609e4e47e.vbs"
        7⤵
        
        PID:976
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d520d34d-be6d-41b2-9b46-c1e2b0b892a5.vbs"
        5⤵
        
        PID:1100
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\088ec8a9-d6e8-455f-91ea-a6b4fc663bf6.vbs"
    3⤵
    PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\tzres\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\ProgramData\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PerfLogs\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\wscsvc\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Mail\fr-FR\smss.exe

Filesize
1.5MB

MD5
207f37be38ccbb0fe77bda8d4ab69187

SHA1
97a4aa79a700e336ca8450bfbf38d7e18215173b

SHA256
ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff

SHA512
34350185b31d087e3d9027bdaa382497c061d68fd9d30a201d2563598fdaf2ef05dc8f08f27bc13af0303fc5694f2fea997e1ef042168e705cc83c3f23f6c93e

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\smss.exe

Filesize
1.5MB

MD5
47bed66bd600935327b445644d9faa8c

SHA1
793373152c203037d09797535dc8f2d1cf6182f5

SHA256
b84231cbcc9018759e7878dfb0240e21de8a4b4f4b41883886ff551574080912

SHA512
da92b0f3dbf9036dcc31a5f82bc188d7cc1c67a182640db9e5c0a05201380f8956ab7536b94f7851716e7dbb97c33996a231025b62870f1f2e25214b071afe55

Download Submit
C:\Users\Admin\AppData\Local\Temp\088ec8a9-d6e8-455f-91ea-a6b4fc663bf6.vbs

Filesize
485B

MD5
dcb49b2490b3c1f4353e91cf4eeda15d

SHA1
09afd8f5b5fba8c6c54ff749c1ea1a061ec87a48

SHA256
e62f1cea7d7b85d859d2430ebc7c27091f635b71badd1e0a5d7273b51e8bdf2e

SHA512
ee6b642bf8095164ad5e00b840e60167b3dbaee4af16b639c086988661540453398c91d1a30d02f6dc71a86b79599cc46098bc5f6e5729a7134dbae97c9c930d

Download Submit
C:\Users\Admin\AppData\Local\Temp\26a4b328-ed41-4d1c-8bfe-2c43d1ea938c.vbs

Filesize
709B

MD5
59364452371fcfa8c040d93b0519d713

SHA1
20deae344690cd23690b4cb5e3b33fc5e046938d

SHA256
bd000602b7935b8f519147db05144f1e37e9fba0100b297c229e51257cc2856f

SHA512
399f069cbe7ece945718a781ff3b1169f7cf216da6859b0b0d548959452a5152031a44d27d76568c20e358394062b02577319552779bafd20fd39802e589fe01

Download Submit
C:\Users\Admin\AppData\Local\Temp\50ab4fa0-a108-4523-8ee2-53c273fa7877.vbs

Filesize
709B

MD5
2d5660f82850042cfc52425798c8acc5

SHA1
dd047653a1b7c257ebf57882ba869547d470e5a4

SHA256
16c37b98384ca26e4abc80e1c96081a94ad5f0753ed8751a1ec96cdfd9ea6cb2

SHA512
13bc4dac07833891b0c2f0baed443eb3dd32578a9dee90cf1e305ae12bfc5ceb37dc12058eeb163fc018df19c8207cd69fcdd456c3a40b88f6d796efbd62d9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\53cc3d42-9acc-4fb2-919e-74cbb641d9a0.vbs

Filesize
709B

MD5
47fc7da8da025a586647fb7253e3df27

SHA1
1ecbe16c71cd5c4bb8f50a71e7c854e8e9eee62d

SHA256
523fa851bdb9205d2f037d8266e23ae04b3a8ae57da34c1592b15e5546c66aad

SHA512
0600ffd8470113df8f5b7e40b3b0945c7083a3eb9fbebc04845870785bd01f0b7e735b7002ce56904ccf957e628318d1dca60a4a17e3863dcc02b27529c89e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d85c7f8-e89d-4361-8c66-78f1ce5e94be.vbs

Filesize
709B

MD5
88356de202a5b594e44c7737d1c7ac86

SHA1
d5e107acebb2ab9177ce70a657d806cc78a96b35

SHA256
92e268c6bb2cfeffee41d09cd4938bb3d816e758a06958c494dff3e06f03a855

SHA512
8a6055002b18c1fb51990f963204dc2edb64421056de1e4c9276d2109d84d52b0170e661eb91918e41550eae2f5005e452c490291377a7ff658c929c52ce6932

Download Submit
C:\Users\Admin\AppData\Local\Temp\6474c3b9-d580-4382-9e10-d23988110faa.vbs

Filesize
708B

MD5
8fd91ebb562fa99c605f4c9f42a600bd

SHA1
242b3c20e7191622931b91145f1246a88d770398

SHA256
94b1ed89fde8378ab499bba2d9189ea6c7e7e24d9c7b65b2b7ef9ff69d61cd11

SHA512
e31cb7517928f79705619bb4e5b71a96b14da842876c6872c0e6e136ce1bce872b9a8b642eecd40f84e090983d08b7b419b93adaf1785df97906cce1b0dbd2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\65a00a36-1a41-434c-8c28-4d01dc167ed9.vbs

Filesize
708B

MD5
82128bb61ca53714d1eac19307d8da2b

SHA1
6a345f19c8e9e2215621ea3a0bb453d9ba508bca

SHA256
4b846f574e979d887a308e2cd61e2be4d6e4f7cd4c32155c4315dd28682a4069

SHA512
1802131a89414650f0772f44ec0fea8df8b65173a5cc32638e43189d4513732c33568e28a1845fd84e05a21c808b246807a87a794889c8ac40724a9bb0a5fad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\95163a3b-7ed7-44f2-b922-df7b01cf7a64.vbs

Filesize
709B

MD5
4f5b93ffdc4b71810466066b8dfce3aa

SHA1
dad146ba859d2cfa41a2eab23166ee6f1994e53c

SHA256
364ced498179037a2345be0b937a80d721f49d0e8fe9ddcbb37d5a93a47db763

SHA512
acc08a61a7f71c11eba3b303d12c4ec9479009bb751beb297fe9e8686e76039d48e819438dccc5022be88eb9f3d0243562b0aad337ce209cf9e9de5d123e7c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac7926cb-90f0-4584-ad5f-043921100492.vbs

Filesize
709B

MD5
62f50961a5287c00ca8f4f60be8164d6

SHA1
8dc392cff92366dab42b38dac950ea8c8fe8814d

SHA256
9691d5eeb783b88e24bc671c8e6cfd930e6197cc398ca1445d3a9a7cc7477dc4

SHA512
0bf4d44f55abd0d5b9ebc05e83f198f5a72668e730abe9bb20afff916ecde005eceeb1ef872ec1d4f6ffb8c57c8a2b4572d5e32d55e58ae8292474a0b9abccab

Download Submit
C:\Users\Admin\AppData\Local\Temp\f76f28db-bffc-47a2-b387-811c2cd68991.vbs

Filesize
709B

MD5
96130876ef81910ec320136832fc8ffc

SHA1
0324c807914bbc5e66c04862ef28012210e52d10

SHA256
9ae5e3af39350eca24597eb7f9a8b3aec3dfdb6a0fdcb1d76e73b694f29e4e64

SHA512
3750a9a40eb0a5e07276607221927bf37ccd9501e03a6a877d9772b40242d6cb86889dd116d990d91345a04013f0634ce01c2cecf6039f5ebbdf11604a7c06f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ff39514836c42b29965daf686f8c7092

SHA1
1ebd768df46bd2c101263d5a762d55b5b0b8267d

SHA256
5ef994706e4a533a203e87f3ff33a075c477979976c938d6f32f84facf0e405f

SHA512
96c17a43c336897be91a3cfc893fd09a968ba6c2487894272402574fb596c67a9e5480529d7f3c0c99671da0123cada84bca000b0c8d8f863f972becb4bb541a

Download Submit
memory/584-149-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/600-196-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/600-195-0x0000000000C30000-0x0000000000DAE000-memory.dmp

Filesize
1.5MB

Download
memory/1472-183-0x0000000000360000-0x00000000004DE000-memory.dmp

Filesize
1.5MB

Download
memory/1528-103-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1528-104-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/1540-231-0x0000000000CF0000-0x0000000000E6E000-memory.dmp

Filesize
1.5MB

Download
memory/2112-138-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2112-112-0x0000000001270000-0x00000000013EE000-memory.dmp

Filesize
1.5MB

Download
memory/2132-18-0x0000000000850000-0x0000000000858000-memory.dmp

Filesize
32KB

Download
memory/2132-0-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/2132-8-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/2132-24-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2132-21-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/2132-137-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2132-20-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/2132-9-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/2132-6-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/2132-5-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2132-17-0x0000000000840000-0x000000000084C000-memory.dmp

Filesize
48KB

Download
memory/2132-7-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2132-4-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2132-16-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/2132-15-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/2132-14-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/2132-13-0x0000000000800000-0x000000000080A000-memory.dmp

Filesize
40KB

Download
memory/2132-12-0x00000000007F0000-0x00000000007F8000-memory.dmp

Filesize
32KB

Download
memory/2132-3-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/2132-2-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2132-1-0x0000000000870000-0x00000000009EE000-memory.dmp

Filesize
1.5MB

Download
memory/2132-11-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/2132-10-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/2744-219-0x0000000000CD0000-0x0000000000E4E000-memory.dmp

Filesize
1.5MB

Download