dcrat | 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Size

1.5MB
MD5

6e727ca86bf17b8eb1d83e3e7a3bb202
SHA1

956d2b768d3842b3e579a45c4b53c9d7ea805833
SHA256

182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6
SHA512

6176e666c50d3a4c88a04dba49a9a7d44041402bb83d5f9a414c52737a41466624f0fa926b2b5c9137540d012b7dfd683151cb1a4a74e1ae42e340d846efe8a2
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\Idle.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\lsass.exe\", \"C:\\Windows\\System32\\DeviceProperties\\services.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\Idle.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\lsass.exe\", \"C:\\Windows\\System32\\DeviceProperties\\services.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\Idle.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\Idle.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\lsass.exe\", \"C:\\Windows\\System32\\DeviceProperties\\services.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\Idle.exe\", \"C:\\PerfLogs\\Admin\\winlogon.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\Idle.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\lsass.exe\", \"C:\\Windows\\System32\\DeviceProperties\\services.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\Idle.exe\", \"C:\\PerfLogs\\Admin\\winlogon.exe\", \"C:\\Windows\\System32\\credui\\dwm.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\Idle.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\Idle.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\lsass.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2872	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2000	powershell.exe
1512	powershell.exe
2680	powershell.exe
2820	powershell.exe
2836	powershell.exe
352	powershell.exe
1816	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe

Executes dropped EXE 11 IoCs

pid	Process
2440	winlogon.exe
2344	winlogon.exe
672	winlogon.exe
1148	winlogon.exe
2816	winlogon.exe
2152	winlogon.exe
2532	winlogon.exe
1544	winlogon.exe
1208	winlogon.exe
1880	winlogon.exe
2880	winlogon.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\PerfLogs\\Admin\\Idle.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\lsass.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\DeviceProperties\\services.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\DeviceProperties\\services.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\ProgramData\\Adobe\\Updater6\\Idle.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\credui\\dwm.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\credui\\dwm.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\PerfLogs\\Admin\\Idle.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\lsass.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\ProgramData\\Adobe\\Updater6\\Idle.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\PerfLogs\\Admin\\winlogon.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\PerfLogs\\Admin\\winlogon.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\credui\6cb0b6c459d5d3	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File opened for modification	C:\Windows\System32\DeviceProperties\RCXCF15.tmp	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File opened for modification	C:\Windows\System32\DeviceProperties\services.exe	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File opened for modification	C:\Windows\System32\credui\RCXD58D.tmp	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File opened for modification	C:\Windows\System32\credui\dwm.exe	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File created	C:\Windows\System32\DeviceProperties\services.exe	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File created	C:\Windows\System32\DeviceProperties\c5b4cb5e9653cc	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File created	C:\Windows\System32\credui\dwm.exe	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1728	schtasks.exe
2896	schtasks.exe
2664	schtasks.exe
2752	schtasks.exe
2924	schtasks.exe
2720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
1512	powershell.exe
352	powershell.exe
2000	powershell.exe
2836	powershell.exe
1816	powershell.exe
2680	powershell.exe
2820	powershell.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe
2440	winlogon.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2440	winlogon.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2344	winlogon.exe
Token: SeDebugPrivilege	672	winlogon.exe
Token: SeDebugPrivilege	1148	winlogon.exe
Token: SeDebugPrivilege	2816	winlogon.exe
Token: SeDebugPrivilege	2152	winlogon.exe
Token: SeDebugPrivilege	2532	winlogon.exe
Token: SeDebugPrivilege	1544	winlogon.exe
Token: SeDebugPrivilege	1208	winlogon.exe
Token: SeDebugPrivilege	1880	winlogon.exe
Token: SeDebugPrivilege	2880	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1816	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	38
PID 2108 wrote to memory of 1816	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	38
PID 2108 wrote to memory of 1816	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	38
PID 2108 wrote to memory of 2000	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	39
PID 2108 wrote to memory of 2000	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	39
PID 2108 wrote to memory of 2000	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	39
PID 2108 wrote to memory of 1512	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	40
PID 2108 wrote to memory of 1512	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	40
PID 2108 wrote to memory of 1512	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	40
PID 2108 wrote to memory of 2680	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	41
PID 2108 wrote to memory of 2680	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	41
PID 2108 wrote to memory of 2680	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	41
PID 2108 wrote to memory of 2820	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	42
PID 2108 wrote to memory of 2820	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	42
PID 2108 wrote to memory of 2820	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	42
PID 2108 wrote to memory of 2836	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	43
PID 2108 wrote to memory of 2836	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	43
PID 2108 wrote to memory of 2836	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	43
PID 2108 wrote to memory of 352	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	44
PID 2108 wrote to memory of 352	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	44
PID 2108 wrote to memory of 352	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	44
PID 2108 wrote to memory of 2440	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	52
PID 2108 wrote to memory of 2440	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	52
PID 2108 wrote to memory of 2440	2108	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	52
PID 2440 wrote to memory of 768	2440	winlogon.exe	53
PID 2440 wrote to memory of 768	2440	winlogon.exe	53
PID 2440 wrote to memory of 768	2440	winlogon.exe	53
PID 2440 wrote to memory of 1500	2440	winlogon.exe	54
PID 2440 wrote to memory of 1500	2440	winlogon.exe	54
PID 2440 wrote to memory of 1500	2440	winlogon.exe	54
PID 768 wrote to memory of 2344	768	WScript.exe	55
PID 768 wrote to memory of 2344	768	WScript.exe	55
PID 768 wrote to memory of 2344	768	WScript.exe	55
PID 2344 wrote to memory of 2616	2344	winlogon.exe	56
PID 2344 wrote to memory of 2616	2344	winlogon.exe	56
PID 2344 wrote to memory of 2616	2344	winlogon.exe	56
PID 2344 wrote to memory of 2692	2344	winlogon.exe	57
PID 2344 wrote to memory of 2692	2344	winlogon.exe	57
PID 2344 wrote to memory of 2692	2344	winlogon.exe	57
PID 2616 wrote to memory of 672	2616	WScript.exe	58
PID 2616 wrote to memory of 672	2616	WScript.exe	58
PID 2616 wrote to memory of 672	2616	WScript.exe	58
PID 672 wrote to memory of 1824	672	winlogon.exe	59
PID 672 wrote to memory of 1824	672	winlogon.exe	59
PID 672 wrote to memory of 1824	672	winlogon.exe	59
PID 672 wrote to memory of 2840	672	winlogon.exe	60
PID 672 wrote to memory of 2840	672	winlogon.exe	60
PID 672 wrote to memory of 2840	672	winlogon.exe	60
PID 1824 wrote to memory of 1148	1824	WScript.exe	61
PID 1824 wrote to memory of 1148	1824	WScript.exe	61
PID 1824 wrote to memory of 1148	1824	WScript.exe	61
PID 1148 wrote to memory of 2228	1148	winlogon.exe	62
PID 1148 wrote to memory of 2228	1148	winlogon.exe	62
PID 1148 wrote to memory of 2228	1148	winlogon.exe	62
PID 1148 wrote to memory of 2208	1148	winlogon.exe	63
PID 1148 wrote to memory of 2208	1148	winlogon.exe	63
PID 1148 wrote to memory of 2208	1148	winlogon.exe	63
PID 2228 wrote to memory of 2816	2228	WScript.exe	64
PID 2228 wrote to memory of 2816	2228	WScript.exe	64
PID 2228 wrote to memory of 2816	2228	WScript.exe	64
PID 2816 wrote to memory of 2032	2816	winlogon.exe	65
PID 2816 wrote to memory of 2032	2816	winlogon.exe	65
PID 2816 wrote to memory of 2032	2816	winlogon.exe	65
PID 2816 wrote to memory of 884	2816	winlogon.exe	66

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
"C:\Users\Admin\AppData\Local\Temp\182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\DeviceProperties\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Adobe\Updater6\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\credui\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:352
- C:\PerfLogs\Admin\winlogon.exe
  "C:\PerfLogs\Admin\winlogon.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2440
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b1d23d2-3a66-4284-9574-de76ac3d9af6.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\PerfLogs\Admin\winlogon.exe
      C:\PerfLogs\Admin\winlogon.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2344
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc8ddae0-431d-49a9-9708-d665c083f831.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\PerfLogs\Admin\winlogon.exe
        
        C:\PerfLogs\Admin\winlogon.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f64de85-b71e-47e3-8dd9-896070d3941a.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\PerfLogs\Admin\winlogon.exe
        
        C:\PerfLogs\Admin\winlogon.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e313ab2-8463-45e6-9320-ec8e06b4e1a6.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\PerfLogs\Admin\winlogon.exe
        
        C:\PerfLogs\Admin\winlogon.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\940b1aa4-ae59-4dd3-a333-bb594fd1a8aa.vbs"
        11⤵
        
        PID:2032
        
        C:\PerfLogs\Admin\winlogon.exe
        
        C:\PerfLogs\Admin\winlogon.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b394116-a97f-4aea-9cb9-b77848ba050c.vbs"
        13⤵
        
        PID:552
        
        C:\PerfLogs\Admin\winlogon.exe
        
        C:\PerfLogs\Admin\winlogon.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55a931e7-77b8-4fa5-8f0e-f52ecb4f677a.vbs"
        15⤵
        
        PID:2484
        
        C:\PerfLogs\Admin\winlogon.exe
        
        C:\PerfLogs\Admin\winlogon.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf0e5649-67ea-4b89-9c82-8023e1891767.vbs"
        17⤵
        
        PID:2064
        
        C:\PerfLogs\Admin\winlogon.exe
        
        C:\PerfLogs\Admin\winlogon.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b39e8531-508c-4167-ace5-246929defa0c.vbs"
        19⤵
        
        PID:2248
        
        C:\PerfLogs\Admin\winlogon.exe
        
        C:\PerfLogs\Admin\winlogon.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1ed92b8-5e15-4357-b6a2-42da884d23d3.vbs"
        21⤵
        
        PID:2440
        
        C:\PerfLogs\Admin\winlogon.exe
        
        C:\PerfLogs\Admin\winlogon.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4ecc58d-7db4-401d-9967-e6ebb7050fa9.vbs"
        23⤵
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b0a8ff4-2ad2-463a-985a-17feaaad044c.vbs"
        23⤵
        
        PID:2804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51051808-7ed9-435d-9a13-056a1e66ed49.vbs"
        21⤵
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed53990c-b8ee-4b82-9ec2-fdd59ad12a1b.vbs"
        19⤵
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b176bd9-8dde-4e48-bd08-87dab4bf1e72.vbs"
        17⤵
        
        PID:2480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93ca5c95-267e-41e4-8455-8a2f359c2d2c.vbs"
        15⤵
        
        PID:1576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fef62ea1-0fb7-49ac-bbf8-ba0ec5ad721a.vbs"
        13⤵
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\953d422b-8cfd-4dbb-ab59-3e0da1adf023.vbs"
        11⤵
        
        PID:884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8736e5e5-7d45-459d-b514-958424762bf9.vbs"
        9⤵
        
        PID:2208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f8c3242-6d1a-4569-98f7-d24cd5db59b4.vbs"
        7⤵
        
        PID:2840
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57579461-f378-4dc4-b508-0ba589c2397e.vbs"
        5⤵
        
        PID:2692
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e08153a6-b98d-4038-b0e8-d42b648c9b24.vbs"
    3⤵
    PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\PerfLogs\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\DeviceProperties\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Updater6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\PerfLogs\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\credui\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\winlogon.exe

Filesize
1.5MB

MD5
6e727ca86bf17b8eb1d83e3e7a3bb202

SHA1
956d2b768d3842b3e579a45c4b53c9d7ea805833

SHA256
182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6

SHA512
6176e666c50d3a4c88a04dba49a9a7d44041402bb83d5f9a414c52737a41466624f0fa926b2b5c9137540d012b7dfd683151cb1a4a74e1ae42e340d846efe8a2

Download Submit
C:\PerfLogs\Admin\winlogon.exe

Filesize
1.5MB

MD5
97d8145800abbb769576f4e2ecf8371d

SHA1
23d2ca521bce714263fd2bf3fb793d1f2aff619e

SHA256
b4c74079e398aea62e5980091b255c522488fe8493aeb8667ac969395d7815b4

SHA512
024c732c9dafd92c43187fc757a27a8282159f6d7217a7ee4eee694e7929f04d20696b7f47d4588f4e0ad841d01791bba6946d32faf3014a037d04f4bc7bc5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b1d23d2-3a66-4284-9574-de76ac3d9af6.vbs

Filesize
706B

MD5
ee239470d89ba9b7c76b191039ea9658

SHA1
6121c8af04292dc2d95e7b9e6b49edf5dd11fe22

SHA256
d4b0f8488b2d1668cbc797e54101ca7257ca9590dd5e80648e2697e0076afd5c

SHA512
354d403b2cd63885a585c1cbde900628ddc119544a7bb9f356d206af4a9fa95a60e88b6a3d816425d8230365ba3f7c1a657a0fca6965d096740de8d84ae73d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b394116-a97f-4aea-9cb9-b77848ba050c.vbs

Filesize
706B

MD5
d05ba23c7f8fa59eba998e33e9c49101

SHA1
10f856ccf45fa0329712a5531d67f1ab4aba16b4

SHA256
40e3873e105670bab4fa18fcfbb1da5032bf5b597cb6afa22e40a4145bc23204

SHA512
3e8c650a6f5209fd2a8575a54652cab0bd4ca74403b080bd530c75aeb3c1171c245f8ae1ba929fd24cded5bc5d09304d72afd4ee514d28005c9668c91de01d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\55a931e7-77b8-4fa5-8f0e-f52ecb4f677a.vbs

Filesize
706B

MD5
9fc006fa7814631b98850d554703f969

SHA1
1fb84becd13a3c26385736dab2cdfdbfe47e8a90

SHA256
fe87f38b1a45d7aa9496ee4bbe4974a5ed4f9a8c0e891213a27979b92a7e3f59

SHA512
469025f8b388955b2b376f353128ef3b0870e4ae975d726fbc9e716d56289a33b019dd47c3fd19b55e192b035a44456039a73742fb7ed1e2e209c95909d0d1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f64de85-b71e-47e3-8dd9-896070d3941a.vbs

Filesize
705B

MD5
aefb8b51266ee130691a1b4f60578743

SHA1
154b822e6889faadf41b368e92f6ec838f6ea571

SHA256
e5c2b9bf3fa3a47b5db2c8a543c63c8fa69605c39c0dd0d2f6181774ddc03506

SHA512
1dbad29fed43620c251532569cdd4df0ad717fb23c2b4b4b41dfb1df1ec1b52ecac1a7b14e2f56934cae52e419a77ed3c2eea9ec69cc48cfcbc507133cbe39b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\940b1aa4-ae59-4dd3-a333-bb594fd1a8aa.vbs

Filesize
706B

MD5
0063b69ad4f2bbdeecb10ba810dd4138

SHA1
0167c52e6ecebd9f2d9ba3ddd1c4111760971830

SHA256
8eb63e1ef3722e40fb9adb525c2b572a5113350a5f39b9eae80d1ea093ecfbaf

SHA512
b70bf325b72cb5fac3b2ac7865f6368b8f269f08655cd909be65ac4e33cf5c14523f2b1f54971dab4eda5c43df9f0452ff9f473f38d451a6ce3df0b0d3084d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e313ab2-8463-45e6-9320-ec8e06b4e1a6.vbs

Filesize
706B

MD5
6655947a5e5f6ea0fd96cd0297a4ad0a

SHA1
7fb350bea921b15da519a32600df9734b435e34d

SHA256
9f525ac217ed5dfdc0f4283848267af8ba90c1dfdadea3b1fdc462c1e72d5a11

SHA512
607b41a34d57c17575fea4505f9a25a8ed6f9e2322f6ed7ff1359991aa9007b6d88040cc8af44e3561fd20c4039057d6bc910138b0fe377d7a6adaafcb279afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\b39e8531-508c-4167-ace5-246929defa0c.vbs

Filesize
706B

MD5
d8863bc4cdd240a651e99a6821d7b2a3

SHA1
c817eaa7ba98e627d955b273a0eeca4de3775c67

SHA256
38d98d520420f33f823d8c7fe5a6362c9c331dced5d18af80389d68c79fede0d

SHA512
58a9f420c8fee9ae7cf9de493ec51af370f5190fd38af3659ff52e60803970c69df7e4a8cc1d426d0de46731a0ff43468a244e3c4470a26077e31c12901b3e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf0e5649-67ea-4b89-9c82-8023e1891767.vbs

Filesize
706B

MD5
095c9174a5918bf155f2ad4126e155a6

SHA1
1fe59299b21bff9605615bfb66c7fe6fd7d5b5f2

SHA256
7fafcdfb0ee376b05c457a2a339ee19ef282eacf114d7b054851a754a7bf03dd

SHA512
a13b4462644cc86952ae733e9482c37465714e125778c80f5b706a340b0f43fe18cca57235f4ec688da12f5f3c9814f6f387627ed4375c59fb3591465385fbf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1ed92b8-5e15-4357-b6a2-42da884d23d3.vbs

Filesize
706B

MD5
bba632cbd5eecb2d20368ed93081df90

SHA1
63bb75f5e3fb20ce2f0846da1fc25591dec0b9a7

SHA256
731faaa098737a05e8ad1233f9353d1898b3275c5d17886b26d1a517b37c42dc

SHA512
ff53e88564f9249beaf4f2e4842265acde319ece3289c81135d102cb8d1493f6d80d0ae603067b5ac13548742144bcf4e0d2496c44d24f2e9ed00b2e1fecafca

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4ecc58d-7db4-401d-9967-e6ebb7050fa9.vbs

Filesize
706B

MD5
3594cf16e86256065ee0db2b3f29b0be

SHA1
4c293b4d7fc5646c793d59f8079fa3d0ed569e4b

SHA256
cb5965ba7330259abf10acbbbd6711933ca0a8ba0a98d36a311be38d631b9eb9

SHA512
026059067287fadbaf1af6a2c4735b32582c35dd6a221daca89f21f140c65b3249d72340b03cba034e03e0607a0dcfaa17bb5deac206dc29a5eb27d3e61391ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc8ddae0-431d-49a9-9708-d665c083f831.vbs

Filesize
706B

MD5
91cf35f92b6f8b41f4c612601490c8f2

SHA1
8696ec630e63aa9e8e3e3e4a94a7372678ab0a22

SHA256
0ddf3ed065b154fd4b11b90ba62cb964f48b0dddf0b7fcdba260271ac7cd9c44

SHA512
5b3d4ed93a765c27fc7cab1c555f2cbcad83753f6789c06bf53cc800fd99bc1d69fc7f452a68335e2f30d171ce14a065f963351af4f877daaf4362d14b5a6175

Download Submit
C:\Users\Admin\AppData\Local\Temp\e08153a6-b98d-4038-b0e8-d42b648c9b24.vbs

Filesize
482B

MD5
1ced562d6f96c55a9466597de610c5dd

SHA1
d371f5c1c0e1de2234f81cfc9e82b47dcb0c24b5

SHA256
80cfae17e03d5fd73dcd05d9b9c00218d6c8b3fdbcae82358fff227abeaf5116

SHA512
a1ec8d437ffaecc1f0e61bb6a731c81ee0407fdff1bd2258326101dc151e0efbdcf7230f824583e55177f8c023731e5330c71a4d6d2a667ac9cb61c8932122e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c0c10eda37617c3fd5d326034c43d559

SHA1
ff0ca44146e84c897f3a1d61b2837b57033db8ab

SHA256
c33285a7423646c4c70bb0bbab2c9acf12f810bbecaa2120a9259b4160193139

SHA512
eeae02c4003d34545a8f3e89d3c3e2cf0c3d0b5e70e9fa16d10e1810d3091d37f78377d31c26d09433e993b0a4b61086c04a57f894c1512049fcd30a6ae2dd9b

Download Submit
memory/352-103-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/672-146-0x0000000001240000-0x00000000013BE000-memory.dmp

Filesize
1.5MB

Download
memory/1208-218-0x0000000001050000-0x00000000011CE000-memory.dmp

Filesize
1.5MB

Download
memory/1544-206-0x0000000000C30000-0x0000000000DAE000-memory.dmp

Filesize
1.5MB

Download
memory/1816-100-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/1880-230-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2108-102-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2108-11-0x0000000001F80000-0x0000000001F90000-memory.dmp

Filesize
64KB

Download
memory/2108-21-0x000000001A800000-0x000000001A808000-memory.dmp

Filesize
32KB

Download
memory/2108-1-0x0000000000870000-0x00000000009EE000-memory.dmp

Filesize
1.5MB

Download
memory/2108-20-0x0000000002180000-0x000000000218C000-memory.dmp

Filesize
48KB

Download
memory/2108-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/2108-18-0x0000000002170000-0x0000000002178000-memory.dmp

Filesize
32KB

Download
memory/2108-2-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2108-17-0x00000000020E0000-0x00000000020EC000-memory.dmp

Filesize
48KB

Download
memory/2108-16-0x00000000020D0000-0x00000000020D8000-memory.dmp

Filesize
32KB

Download
memory/2108-15-0x00000000020C0000-0x00000000020CA000-memory.dmp

Filesize
40KB

Download
memory/2108-14-0x0000000002030000-0x000000000203C000-memory.dmp

Filesize
48KB

Download
memory/2108-13-0x0000000002020000-0x000000000202A000-memory.dmp

Filesize
40KB

Download
memory/2108-12-0x0000000002010000-0x0000000002018000-memory.dmp

Filesize
32KB

Download
memory/2108-3-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/2108-24-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2108-4-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2108-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2108-10-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/2108-7-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/2108-9-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2108-8-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2108-6-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/2152-182-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2152-181-0x0000000000360000-0x00000000004DE000-memory.dmp

Filesize
1.5MB

Download
memory/2440-124-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/2440-86-0x0000000000F30000-0x00000000010AE000-memory.dmp

Filesize
1.5MB

Download
memory/2532-194-0x00000000002A0000-0x000000000041E000-memory.dmp

Filesize
1.5MB

Download
memory/2816-169-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2880-242-0x00000000011C0000-0x000000000133E000-memory.dmp

Filesize
1.5MB

Download