dcrat | 4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Size

1.5MB
MD5

175728fc0156adf96439d339ae5a0658
SHA1

77712760c74c0d4826916126c1539ed0ce235dc5
SHA256

4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1
SHA512

436c18106c410c14d538a288458b3c91d2a0ffbbd22ae80d585482fbf9a0b710b980b4bfdf023528f064380494a0aad04d5d3936ffc6f88f2ea98e0ac5d26818
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRi:kzhWhCXQFN+0IEuQgyiVKq

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1468	schtasks.exe
		2896	schtasks.exe
File created	C:\Windows\System32\tssrvlic\f3b6ecef712a24		4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
		1812	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
		3060	schtasks.exe
		2608	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\tssrvlic\\spoolsv.exe\", \"C:\\PerfLogs\\Admin\\dwm.exe\", \"C:\\Windows\\System32\\mfc120rus\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\lsm.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\tssrvlic\\spoolsv.exe\", \"C:\\PerfLogs\\Admin\\dwm.exe\", \"C:\\Windows\\System32\\mfc120rus\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\lsm.exe\", \"C:\\Windows\\Microsoft.NET\\Framework\\smss.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\tssrvlic\\spoolsv.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\tssrvlic\\spoolsv.exe\", \"C:\\PerfLogs\\Admin\\dwm.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\tssrvlic\\spoolsv.exe\", \"C:\\PerfLogs\\Admin\\dwm.exe\", \"C:\\Windows\\System32\\mfc120rus\\taskhost.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2552	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2552	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2552	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2552	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2552	schtasks.exe	31

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2016	powershell.exe
2280	powershell.exe
2812	powershell.exe
2544	powershell.exe
1236	powershell.exe
2044	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe

Executes dropped EXE 11 IoCs

pid	Process
2168	lsm.exe
2444	lsm.exe
1544	lsm.exe
1628	lsm.exe
2512	lsm.exe
2344	lsm.exe
2248	lsm.exe
2400	lsm.exe
1628	lsm.exe
1988	lsm.exe
2300	lsm.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Microsoft.NET\\Framework\\smss.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\tssrvlic\\spoolsv.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\PerfLogs\\Admin\\dwm.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\PerfLogs\\Admin\\dwm.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\mfc120rus\\taskhost.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\lsm.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\lsm.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\tssrvlic\\spoolsv.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\mfc120rus\\taskhost.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Microsoft.NET\\Framework\\smss.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\tssrvlic\spoolsv.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File created	C:\Windows\System32\tssrvlic\f3b6ecef712a24	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File created	C:\Windows\System32\mfc120rus\taskhost.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File created	C:\Windows\System32\mfc120rus\b75386f1303e64	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File opened for modification	C:\Windows\System32\tssrvlic\RCXF420.tmp	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File opened for modification	C:\Windows\System32\mfc120rus\RCXF895.tmp	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File opened for modification	C:\Windows\System32\mfc120rus\taskhost.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File created	C:\Windows\System32\tssrvlic\spoolsv.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\101b941d020240	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCXFA98.tmp	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\scheduled\Maintenance\es-ES\WMIADAP.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File created	C:\Windows\Microsoft.NET\Framework\smss.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File created	C:\Windows\Microsoft.NET\Framework\69ddcba757bf72	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\RCXFC9C.tmp	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\smss.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3060	schtasks.exe
2608	schtasks.exe
1468	schtasks.exe
2896	schtasks.exe
1812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2812	powershell.exe
2044	powershell.exe
2280	powershell.exe
1236	powershell.exe
2544	powershell.exe
2016	powershell.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2168	lsm.exe
2444	lsm.exe
2444	lsm.exe
2444	lsm.exe
2444	lsm.exe
2444	lsm.exe
2444	lsm.exe
2444	lsm.exe
2444	lsm.exe
2444	lsm.exe
2444	lsm.exe
2444	lsm.exe
2444	lsm.exe
2444	lsm.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2168	lsm.exe
Token: SeDebugPrivilege	2444	lsm.exe
Token: SeDebugPrivilege	1544	lsm.exe
Token: SeDebugPrivilege	1628	lsm.exe
Token: SeDebugPrivilege	2512	lsm.exe
Token: SeDebugPrivilege	2344	lsm.exe
Token: SeDebugPrivilege	2248	lsm.exe
Token: SeDebugPrivilege	2400	lsm.exe
Token: SeDebugPrivilege	1628	lsm.exe
Token: SeDebugPrivilege	1988	lsm.exe
Token: SeDebugPrivilege	2300	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2544	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	37
PID 2260 wrote to memory of 2544	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	37
PID 2260 wrote to memory of 2544	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	37
PID 2260 wrote to memory of 2812	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	38
PID 2260 wrote to memory of 2812	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	38
PID 2260 wrote to memory of 2812	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	38
PID 2260 wrote to memory of 1236	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	39
PID 2260 wrote to memory of 1236	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	39
PID 2260 wrote to memory of 1236	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	39
PID 2260 wrote to memory of 2044	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	40
PID 2260 wrote to memory of 2044	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	40
PID 2260 wrote to memory of 2044	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	40
PID 2260 wrote to memory of 2016	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	41
PID 2260 wrote to memory of 2016	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	41
PID 2260 wrote to memory of 2016	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	41
PID 2260 wrote to memory of 2280	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	42
PID 2260 wrote to memory of 2280	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	42
PID 2260 wrote to memory of 2280	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	42
PID 2260 wrote to memory of 2168	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	49
PID 2260 wrote to memory of 2168	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	49
PID 2260 wrote to memory of 2168	2260	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	49
PID 2168 wrote to memory of 1816	2168	lsm.exe	50
PID 2168 wrote to memory of 1816	2168	lsm.exe	50
PID 2168 wrote to memory of 1816	2168	lsm.exe	50
PID 2168 wrote to memory of 3044	2168	lsm.exe	51
PID 2168 wrote to memory of 3044	2168	lsm.exe	51
PID 2168 wrote to memory of 3044	2168	lsm.exe	51
PID 1816 wrote to memory of 2444	1816	WScript.exe	52
PID 1816 wrote to memory of 2444	1816	WScript.exe	52
PID 1816 wrote to memory of 2444	1816	WScript.exe	52
PID 2444 wrote to memory of 2720	2444	lsm.exe	53
PID 2444 wrote to memory of 2720	2444	lsm.exe	53
PID 2444 wrote to memory of 2720	2444	lsm.exe	53
PID 2444 wrote to memory of 1220	2444	lsm.exe	54
PID 2444 wrote to memory of 1220	2444	lsm.exe	54
PID 2444 wrote to memory of 1220	2444	lsm.exe	54
PID 2720 wrote to memory of 1544	2720	WScript.exe	55
PID 2720 wrote to memory of 1544	2720	WScript.exe	55
PID 2720 wrote to memory of 1544	2720	WScript.exe	55
PID 1544 wrote to memory of 2912	1544	lsm.exe	56
PID 1544 wrote to memory of 2912	1544	lsm.exe	56
PID 1544 wrote to memory of 2912	1544	lsm.exe	56
PID 1544 wrote to memory of 304	1544	lsm.exe	57
PID 1544 wrote to memory of 304	1544	lsm.exe	57
PID 1544 wrote to memory of 304	1544	lsm.exe	57
PID 2912 wrote to memory of 1628	2912	WScript.exe	58
PID 2912 wrote to memory of 1628	2912	WScript.exe	58
PID 2912 wrote to memory of 1628	2912	WScript.exe	58
PID 1628 wrote to memory of 2820	1628	lsm.exe	59
PID 1628 wrote to memory of 2820	1628	lsm.exe	59
PID 1628 wrote to memory of 2820	1628	lsm.exe	59
PID 1628 wrote to memory of 776	1628	lsm.exe	60
PID 1628 wrote to memory of 776	1628	lsm.exe	60
PID 1628 wrote to memory of 776	1628	lsm.exe	60
PID 2820 wrote to memory of 2512	2820	WScript.exe	61
PID 2820 wrote to memory of 2512	2820	WScript.exe	61
PID 2820 wrote to memory of 2512	2820	WScript.exe	61
PID 2512 wrote to memory of 2372	2512	lsm.exe	62
PID 2512 wrote to memory of 2372	2512	lsm.exe	62
PID 2512 wrote to memory of 2372	2512	lsm.exe	62
PID 2512 wrote to memory of 2260	2512	lsm.exe	63
PID 2512 wrote to memory of 2260	2512	lsm.exe	63
PID 2512 wrote to memory of 2260	2512	lsm.exe	63
PID 2372 wrote to memory of 2344	2372	WScript.exe	64

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
"C:\Users\Admin\AppData\Local\Temp\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\tssrvlic\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mfc120rus\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe
  "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2168
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff2218c2-36e8-452b-8fbe-32a131784be8.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe
      "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2444
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b28cf0db-6e31-454a-9bd2-7291e43883e8.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68b58a40-8552-47cf-87dd-44a6b2396ba0.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a4b6df6-f248-42e3-8ce9-7b1a464ee31e.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de06b90d-391b-4878-af65-bf23bcb83f2f.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c602c45b-ea9b-4aa6-8fc4-8cbca6fcebd2.vbs"
        13⤵
        
        PID:2316
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d92e5a25-316c-403f-ae18-f15410ef082e.vbs"
        15⤵
        
        PID:1068
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14dffc70-6ffe-4301-8331-daa4ed39a101.vbs"
        17⤵
        
        PID:1252
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d7e4e92-e490-4e78-b974-26e6471ba689.vbs"
        19⤵
        
        PID:2536
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71c43ea9-f274-473d-ac16-fc1fd7eb4abc.vbs"
        21⤵
        
        PID:2108
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b86fcb5-8cea-4a84-9087-be1496666935.vbs"
        23⤵
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa4b9f63-4424-4764-8df8-cd12da3f3c61.vbs"
        23⤵
        
        PID:1512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d2dfe93-e982-4a15-ad1c-3a0d09568f74.vbs"
        21⤵
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14d04c24-1776-4b33-a42a-39ba8110adf1.vbs"
        19⤵
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a19d8e7c-0a02-49b8-936e-a3bba17ed1f3.vbs"
        17⤵
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19ea1c1e-40b1-4d2a-b40d-bb4c1f711349.vbs"
        15⤵
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64975e7e-f39f-4aba-9418-d4decf27383d.vbs"
        13⤵
        
        PID:1204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ced0aeef-60a4-4974-afe2-966be7263f8d.vbs"
        11⤵
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a2caf6c-52cf-43b1-9a87-b7be005fc71c.vbs"
        9⤵
        
        PID:776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bba04a4-3c16-47cd-9ad9-dcae32848654.vbs"
        7⤵
        
        PID:304
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d3ef6bc-be7d-48d0-bac7-b9ba18676629.vbs"
        5⤵
        
        PID:1220
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a99cceb-67a0-438b-afd6-44a1c393f50c.vbs"
    3⤵
    PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\tssrvlic\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\PerfLogs\Admin\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\mfc120rus\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14dffc70-6ffe-4301-8331-daa4ed39a101.vbs

Filesize
757B

MD5
b4f7be5ea60b1545c636d98156bc883d

SHA1
00ff1fb49b70c98c8cb80ed50285cfa8678c6e49

SHA256
2ca06f7f632379b3b9b144511b47cadecd5a97427c0b28a2acd1bf9e04f9458f

SHA512
b3790210abd28ca3f62b0756ba5793c14f917754dac974612991a8f2783bf8829a36fedf6f27a912677bbeac49e029fe34689a1c7968a688571ca74163718adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\68b58a40-8552-47cf-87dd-44a6b2396ba0.vbs

Filesize
757B

MD5
159f77f64359d34236cd64ba6f5ced40

SHA1
f2dedf5d71c5f3f91d23d50fe58e48ae37978f6e

SHA256
88c6fd1659d65af9c3fd72ddb6c52519febebda8e0203644c8231cd0f0a362ac

SHA512
da4e478ef2a26bc7f569053e2845597648179461ec419c105d349451d20b8e8b839e26890d69777c217e94d36dd57a9a08f308ef1a3f29f6af8836b42555f6fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a4b6df6-f248-42e3-8ce9-7b1a464ee31e.vbs

Filesize
757B

MD5
239d794663fa09317f24ea29dae943ac

SHA1
84945b8eb47b02097815f8f5a9319321cc1412c2

SHA256
f2a732aedcc85e8f607f189f7b888eaa990ee2fa97f78fa7056e4013a6dc81fa

SHA512
1aa2a851eecfe5d9d916028a2c2c3076490dc68265b27db70538461b8656e5a728ce0b4860cebe8853eb78bb7a5043819e11b02c139115e203173e35af275f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a99cceb-67a0-438b-afd6-44a1c393f50c.vbs

Filesize
533B

MD5
f5c97c863b25c57d8bb894277674f84a

SHA1
5625beb523c1653b3ba4058842c5896e5e41dd2a

SHA256
12cdae152ff154b79b6809e7af3d1c1d7ef38bcbb840e165fe1e803fe54cfbee

SHA512
3f4979a41d2b3ecaf291c29ff0eb3d47188687ecd1509bcec47b1dd12fc82aa46a46ec99cf09833cc68e7b20642a1b03126171e553fbf19879d95f831f9c0793

Download Submit
C:\Users\Admin\AppData\Local\Temp\71c43ea9-f274-473d-ac16-fc1fd7eb4abc.vbs

Filesize
757B

MD5
cc5a6aa7fb10c98273e2a600196ee732

SHA1
fe85971a8f2a9ea86705244e0e763bbbda507cdd

SHA256
1f159595abd2ddc69f9b34cb0e29a027a149aac945fb75e80d68bd98a74f671b

SHA512
c0dbca321da1e497c827df9c94047b68ca5702d521c0ab461d26934d0f3c705f96137b66f7c08a50d0d205f9eda53cde7b06e78f06e1ebda65c299e1ff3df139

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b86fcb5-8cea-4a84-9087-be1496666935.vbs

Filesize
757B

MD5
ccef6a7b10db6df4495ce9f6f7f4a4bc

SHA1
4ed78012d070ee8dfbeea900b93a10e9501dd124

SHA256
8f1faa3c1a7349bc3a977c2ecfc8166a86a7dcf6a8722ec8b9d930ef18fec228

SHA512
b4faccc55274c067d27e7c00f1a4501821236f3b7767a32330bc228462769839ee13c0fe1d41c06e8618fafd7f6241660caf5f5ac10383a938bd6da5b0b8c42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b28cf0db-6e31-454a-9bd2-7291e43883e8.vbs

Filesize
757B

MD5
e7f74373aad9c097f26c1c7de81d1507

SHA1
ac0fc0b5aebb07658cf77db34bc51d2b69f97755

SHA256
e4c6fb47ef4cfdd7dae6a0b18f0faa3225a6ca7d98212ff581de706347cd2344

SHA512
50c10dc77ed67b02ef495d616580c399645635678d9c842814713781d1abc038120e2573efbcf8e42a2c5c0ea153c0537b3f94721d566c554e6d94b9c8881fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\c602c45b-ea9b-4aa6-8fc4-8cbca6fcebd2.vbs

Filesize
757B

MD5
ab64a31e182a0b8b413cce9d7814bf62

SHA1
8dbb101b30d962c117d4cee91c7921eb4c0f1315

SHA256
66a0767ff176804cd8176fbf086ba6aa91df19ca7df97598a08c522df1ef4ba1

SHA512
0111adb43004fdff3d897370e4db4440e875299bbfed1f659cc526663559153b05e9803e9c408043a1ae069292dc6336f8f0b5486037c27e6657942183dd54ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\d92e5a25-316c-403f-ae18-f15410ef082e.vbs

Filesize
757B

MD5
e69dd708d39220486fb52b971fe3aca6

SHA1
093b7f8c960eabfad3659520f5e71070813d5732

SHA256
b2f541b9542d0400eb8cd7f03f4eecc03600d3db0f7ab33b9b752d154debc0b0

SHA512
c453f2916a2dcb932d1d7c205d3d74bdbdd3dee0dc82022740365b9e2bf3da8e6a6a8ac6d37c5c1254d22ad6ea52198588ca3d7a33c61066205b6870bb7e61db

Download Submit
C:\Users\Admin\AppData\Local\Temp\de06b90d-391b-4878-af65-bf23bcb83f2f.vbs

Filesize
757B

MD5
5d77de7da8912979a3a9083c7babb932

SHA1
e96ef6638a93d10ac530089cda584058cccd63bb

SHA256
f20a00843accdb70b7bf4b962df81723c1282f38529c9d211b7f44f37da0897e

SHA512
70ae66bd90ee6001a68dfd5af4e5035f44f7ee7dcd0887fa44ae7f57e71735c6722a95bcac1dcc06fdb191a0632d7aa18a9bd2562afae5811c5c78d561fc48d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff2218c2-36e8-452b-8fbe-32a131784be8.vbs

Filesize
757B

MD5
03dd579f2164920bc8d1e4a6ca357838

SHA1
e0d89aaa1319a6cbdf7306920380b639b4c3f1a9

SHA256
872b012bf31fe5e6ff57dc065613b731fc102c31c2af8b8a76bc76e50f8141fd

SHA512
10cde647b4d9df8ac9cba6d7c1dd65b6c24d87519ce19ccae46d52ef574515346f96edcdb7fb76a9aeb3bc64c48b1d058e567f6446945868fc4362ff48c6521b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2ec65301afbde51a95ef7364d8123674

SHA1
7d2a8eda14e4887502bda7b42603bedb380e5ae2

SHA256
d440a6a535a2e28596dc434d13f01cddbbb6d9aab2fce80b7b42d6ebaba85f57

SHA512
577120de9ed0cde8a96fe619464f1a4c10be71b1438653abdfee2457885f979b32a5c1ebd13a754a6774a55f013b4e000e9278695365f8bd99916df0a2402d87

Download Submit
C:\Windows\Microsoft.NET\Framework\smss.exe

Filesize
1.5MB

MD5
175728fc0156adf96439d339ae5a0658

SHA1
77712760c74c0d4826916126c1539ed0ce235dc5

SHA256
4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1

SHA512
436c18106c410c14d538a288458b3c91d2a0ffbbd22ae80d585482fbf9a0b710b980b4bfdf023528f064380494a0aad04d5d3936ffc6f88f2ea98e0ac5d26818

Download Submit
memory/1544-135-0x0000000000880000-0x00000000009FE000-memory.dmp

Filesize
1.5MB

Download
memory/1628-148-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1628-147-0x0000000000FD0000-0x000000000114E000-memory.dmp

Filesize
1.5MB

Download
memory/1628-207-0x0000000000ED0000-0x000000000104E000-memory.dmp

Filesize
1.5MB

Download
memory/1988-219-0x0000000001330000-0x00000000014AE000-memory.dmp

Filesize
1.5MB

Download
memory/2168-111-0x0000000000900000-0x0000000000A7E000-memory.dmp

Filesize
1.5MB

Download
memory/2248-183-0x0000000001200000-0x000000000137E000-memory.dmp

Filesize
1.5MB

Download
memory/2260-13-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/2260-6-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/2260-42-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-57-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-72-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-21-0x0000000000C50000-0x0000000000C58000-memory.dmp

Filesize
32KB

Download
memory/2260-112-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-20-0x0000000000C40000-0x0000000000C4C000-memory.dmp

Filesize
48KB

Download
memory/2260-1-0x0000000000E80000-0x0000000000FFE000-memory.dmp

Filesize
1.5MB

Download
memory/2260-2-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-18-0x0000000000C30000-0x0000000000C38000-memory.dmp

Filesize
32KB

Download
memory/2260-17-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/2260-3-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2260-16-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/2260-15-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/2260-14-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2260-0-0x000007FEF5473000-0x000007FEF5474000-memory.dmp

Filesize
4KB

Download
memory/2260-12-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/2260-11-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/2260-10-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2260-9-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2260-4-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2260-24-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-7-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2260-8-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2260-5-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2344-171-0x0000000000070000-0x00000000001EE000-memory.dmp

Filesize
1.5MB

Download
memory/2400-195-0x0000000000160000-0x00000000002DE000-memory.dmp

Filesize
1.5MB

Download
memory/2444-123-0x00000000002B0000-0x000000000042E000-memory.dmp

Filesize
1.5MB

Download
memory/2812-103-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2812-110-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download