dcrat | ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Size

1.5MB
MD5

a85fc237c6a4ce58422363d3ab559e20
SHA1

581ad77fe54d760329df7be48163a65ce030b179
SHA256

ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474
SHA512

0345f6998a7c0f77264e7dc6d984bbbf4a08534c00a5bcedf25534c3dde1d2987394338288e192f251cdb06a27b26b582d50e3a0f7c3bfddfa6c5da395f1f19f
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 13 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2624	schtasks.exe
		2564	schtasks.exe
		2436	schtasks.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed\1610b97d3ab4a7		ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
		3040	schtasks.exe
		2616	schtasks.exe
		2232	schtasks.exe
		2632	schtasks.exe
		764	schtasks.exe
		892	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
		2724	schtasks.exe
		596	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed\\OSPPSVC.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\spoolsv.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Windows\\System32\\print\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\ProgramData\\Start Menu\\lsm.exe\", \"C:\\Windows\\System32\\ias\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\Idle.exe\", \"C:\\PerfLogs\\Admin\\wininit.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed\\OSPPSVC.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\spoolsv.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Windows\\System32\\print\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\ProgramData\\Start Menu\\lsm.exe\", \"C:\\Windows\\System32\\ias\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\Idle.exe\", \"C:\\PerfLogs\\Admin\\wininit.exe\", \"C:\\Windows\\System32\\mfcm120u\\services.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed\\OSPPSVC.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed\\OSPPSVC.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed\\OSPPSVC.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\spoolsv.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Windows\\System32\\print\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\ProgramData\\Start Menu\\lsm.exe\", \"C:\\Windows\\System32\\ias\\winlogon.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed\\OSPPSVC.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\spoolsv.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Windows\\System32\\print\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed\\OSPPSVC.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\spoolsv.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Windows\\System32\\print\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\ProgramData\\Start Menu\\lsm.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed\\OSPPSVC.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\spoolsv.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Windows\\System32\\print\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\ProgramData\\Start Menu\\lsm.exe\", \"C:\\Windows\\System32\\ias\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\Idle.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed\\OSPPSVC.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\spoolsv.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed\\OSPPSVC.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\spoolsv.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed\\OSPPSVC.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\spoolsv.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Windows\\System32\\print\\sppsvc.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe

Process spawned unexpected child process 11 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2824	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1420	powershell.exe
2672	powershell.exe
2392	powershell.exe
2712	powershell.exe
2940	powershell.exe
556	powershell.exe
1604	powershell.exe
1620	powershell.exe
1644	powershell.exe
2372	powershell.exe
1772	powershell.exe
1916	powershell.exe
1840	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe

Executes dropped EXE 10 IoCs

pid	Process
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2920	winlogon.exe
3060	winlogon.exe
2932	winlogon.exe
2652	winlogon.exe
1288	winlogon.exe
2648	winlogon.exe
2076	winlogon.exe
620	winlogon.exe
268	winlogon.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\mfcm120u\\services.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed\\OSPPSVC.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\spoolsv.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\spoolsv.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Migration\\WTR\\csrss.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\PerfLogs\\Admin\\wininit.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\mfcm120u\\services.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\print\\sppsvc.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\PerfLogs\\Admin\\Idle.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed\\OSPPSVC.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Migration\\WTR\\csrss.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\ProgramData\\Start Menu\\lsm.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\PerfLogs\\Admin\\wininit.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\print\\sppsvc.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\ProgramData\\Start Menu\\lsm.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\ias\\winlogon.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\ias\\winlogon.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\PerfLogs\\Admin\\Idle.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\print\RCXE017.tmp	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File opened for modification	C:\Windows\System32\print\sppsvc.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File created	C:\Windows\System32\ias\cc11b995f2a76d	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File created	C:\Windows\System32\mfcm120u\services.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File created	C:\Windows\System32\mfcm120u\c5b4cb5e9653cc	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File opened for modification	C:\Windows\System32\ias\winlogon.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File created	C:\Windows\System32\print\sppsvc.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File created	C:\Windows\System32\print\0a1fd5f707cd16	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File created	C:\Windows\System32\ias\winlogon.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File opened for modification	C:\Windows\System32\mfcm120u\services.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\f3b6ecef712a24	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed\RCXD72E.tmp	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\RCXDBA2.tmp	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\spoolsv.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed\OSPPSVC.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed\OSPPSVC.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed\1610b97d3ab4a7	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\spoolsv.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\886983d96e3d3e	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File opened for modification	C:\Windows\Migration\WTR\RCXDDA6.tmp	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File opened for modification	C:\Windows\Migration\WTR\csrss.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File created	C:\Windows\Migration\WTR\csrss.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2632	schtasks.exe
764	schtasks.exe
2624	schtasks.exe
2564	schtasks.exe
596	schtasks.exe
2436	schtasks.exe
3040	schtasks.exe
2616	schtasks.exe
2232	schtasks.exe
2724	schtasks.exe
892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1420	powershell.exe
2712	powershell.exe
2940	powershell.exe
1916	powershell.exe
556	powershell.exe
2672	powershell.exe
1772	powershell.exe
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1604	powershell.exe
1644	powershell.exe
2372	powershell.exe
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1840	powershell.exe
2392	powershell.exe
1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1620	powershell.exe
2920	winlogon.exe
2920	winlogon.exe
2920	winlogon.exe
2920	winlogon.exe
2920	winlogon.exe
2920	winlogon.exe
2920	winlogon.exe
2920	winlogon.exe
2920	winlogon.exe
2920	winlogon.exe
2920	winlogon.exe
2920	winlogon.exe
2920	winlogon.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Token: SeDebugPrivilege	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2920	winlogon.exe
Token: SeDebugPrivilege	3060	winlogon.exe
Token: SeDebugPrivilege	2932	winlogon.exe
Token: SeDebugPrivilege	2652	winlogon.exe
Token: SeDebugPrivilege	1288	winlogon.exe
Token: SeDebugPrivilege	2648	winlogon.exe
Token: SeDebugPrivilege	2076	winlogon.exe
Token: SeDebugPrivilege	620	winlogon.exe
Token: SeDebugPrivilege	268	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 1772	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	38
PID 2692 wrote to memory of 1772	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	38
PID 2692 wrote to memory of 1772	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	38
PID 2692 wrote to memory of 1916	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	39
PID 2692 wrote to memory of 1916	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	39
PID 2692 wrote to memory of 1916	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	39
PID 2692 wrote to memory of 2712	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	40
PID 2692 wrote to memory of 2712	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	40
PID 2692 wrote to memory of 2712	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	40
PID 2692 wrote to memory of 2940	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	41
PID 2692 wrote to memory of 2940	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	41
PID 2692 wrote to memory of 2940	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	41
PID 2692 wrote to memory of 556	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	42
PID 2692 wrote to memory of 556	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	42
PID 2692 wrote to memory of 556	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	42
PID 2692 wrote to memory of 1420	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	43
PID 2692 wrote to memory of 1420	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	43
PID 2692 wrote to memory of 1420	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	43
PID 2692 wrote to memory of 2672	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	44
PID 2692 wrote to memory of 2672	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	44
PID 2692 wrote to memory of 2672	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	44
PID 2692 wrote to memory of 1912	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	52
PID 2692 wrote to memory of 1912	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	52
PID 2692 wrote to memory of 1912	2692	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	52
PID 1912 wrote to memory of 1840	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	58
PID 1912 wrote to memory of 1840	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	58
PID 1912 wrote to memory of 1840	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	58
PID 1912 wrote to memory of 1604	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	59
PID 1912 wrote to memory of 1604	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	59
PID 1912 wrote to memory of 1604	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	59
PID 1912 wrote to memory of 1620	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	60
PID 1912 wrote to memory of 1620	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	60
PID 1912 wrote to memory of 1620	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	60
PID 1912 wrote to memory of 1644	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	61
PID 1912 wrote to memory of 1644	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	61
PID 1912 wrote to memory of 1644	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	61
PID 1912 wrote to memory of 2392	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	62
PID 1912 wrote to memory of 2392	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	62
PID 1912 wrote to memory of 2392	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	62
PID 1912 wrote to memory of 2372	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	63
PID 1912 wrote to memory of 2372	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	63
PID 1912 wrote to memory of 2372	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	63
PID 1912 wrote to memory of 2920	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	70
PID 1912 wrote to memory of 2920	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	70
PID 1912 wrote to memory of 2920	1912	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	70
PID 2920 wrote to memory of 2352	2920	winlogon.exe	71
PID 2920 wrote to memory of 2352	2920	winlogon.exe	71
PID 2920 wrote to memory of 2352	2920	winlogon.exe	71
PID 2920 wrote to memory of 236	2920	winlogon.exe	72
PID 2920 wrote to memory of 236	2920	winlogon.exe	72
PID 2920 wrote to memory of 236	2920	winlogon.exe	72
PID 2352 wrote to memory of 3060	2352	WScript.exe	73
PID 2352 wrote to memory of 3060	2352	WScript.exe	73
PID 2352 wrote to memory of 3060	2352	WScript.exe	73
PID 3060 wrote to memory of 1680	3060	winlogon.exe	74
PID 3060 wrote to memory of 1680	3060	winlogon.exe	74
PID 3060 wrote to memory of 1680	3060	winlogon.exe	74
PID 3060 wrote to memory of 2596	3060	winlogon.exe	75
PID 3060 wrote to memory of 2596	3060	winlogon.exe	75
PID 3060 wrote to memory of 2596	3060	winlogon.exe	75
PID 1680 wrote to memory of 2932	1680	WScript.exe	76
PID 1680 wrote to memory of 2932	1680	WScript.exe	76
PID 1680 wrote to memory of 2932	1680	WScript.exe	76
PID 2932 wrote to memory of 2436	2932	winlogon.exe	77

System policy modification 1 TTPs 33 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
"C:\Users\Admin\AppData\Local\Temp\ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Minesweeper\it-IT\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\print\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
  "C:\Users\Admin\AppData\Local\Temp\ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Start Menu\lsm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ias\winlogon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\Idle.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mfcm120u\services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
- - C:\Windows\System32\ias\winlogon.exe
    "C:\Windows\System32\ias\winlogon.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2920
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fdf831a-b9e1-4f96-9b6d-7e6629f8e363.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\System32\ias\winlogon.exe
        
        C:\Windows\System32\ias\winlogon.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3060
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df057076-7b37-489a-bc6f-dc8b78420692.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\System32\ias\winlogon.exe
        
        C:\Windows\System32\ias\winlogon.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\862592e4-8c91-4ed4-93cd-48b012d01430.vbs"
        8⤵
        
        PID:2436
        
        C:\Windows\System32\ias\winlogon.exe
        
        C:\Windows\System32\ias\winlogon.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f16c3fac-91f9-459a-8680-a3caa902418a.vbs"
        10⤵
        
        PID:2612
        
        C:\Windows\System32\ias\winlogon.exe
        
        C:\Windows\System32\ias\winlogon.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbe42f0a-2f13-4a66-996f-b3a4749776bf.vbs"
        12⤵
        
        PID:2004
        
        C:\Windows\System32\ias\winlogon.exe
        
        C:\Windows\System32\ias\winlogon.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\164a6daa-bcd0-454a-b585-6fbfc0072dd2.vbs"
        14⤵
        
        PID:1396
        
        C:\Windows\System32\ias\winlogon.exe
        
        C:\Windows\System32\ias\winlogon.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bd6e2c9-2184-4c45-87d1-261eed98e090.vbs"
        16⤵
        
        PID:2508
        
        C:\Windows\System32\ias\winlogon.exe
        
        C:\Windows\System32\ias\winlogon.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a73b4919-18f2-4e20-ad89-4eab0e862967.vbs"
        18⤵
        
        PID:2776
        
        C:\Windows\System32\ias\winlogon.exe
        
        C:\Windows\System32\ias\winlogon.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dad0d86-3dda-45d4-b9e0-7036c1ad6b61.vbs"
        20⤵
        
        PID:2448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87bc7f6e-47af-430d-953c-2d93c7fe1cae.vbs"
        20⤵
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d153a32-5fb5-4cdc-bbb6-38cf2ffc220b.vbs"
        18⤵
        
        PID:1988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d677e4ce-561a-4bf5-b569-899a3a5accc2.vbs"
        16⤵
        
        PID:764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17ddf387-1339-4b98-b1b1-0d09a3c743bb.vbs"
        14⤵
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\510a43c3-4dad-463e-8a0e-80b6ef148c11.vbs"
        12⤵
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea31ae1b-969f-4065-a2e9-d7bab34a7bfb.vbs"
        10⤵
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\118889c7-34d1-42e4-88e6-c3553a621642.vbs"
        8⤵
        
        PID:2164
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\154f7cee-65c6-4141-a6ca-6b1f8cb75ed7.vbs"
        6⤵
        
        PID:2596
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\116b6171-4c5b-449d-aeb3-4951eca918ec.vbs"
      4⤵
      PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\print\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\ias\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\PerfLogs\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\PerfLogs\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\mfcm120u\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\116b6171-4c5b-449d-aeb3-4951eca918ec.vbs

Filesize
488B

MD5
2a61199db0bce48647d357899efeb3fe

SHA1
422c883670ad336eb6068f9a6b509c6267dc8d4c

SHA256
f6f8f6412ffa5b73dbee7b7d0c03e3000c4f88f8b3cf7bb7520f9b2c9f549a71

SHA512
9f9c78515be9b16fc1f885fa8e1e635834a3a53a20783deb410c409689e622079c32aa98ff0970e5d437d52a55f75a13570cf73510240e54d8063d1225406a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\164a6daa-bcd0-454a-b585-6fbfc0072dd2.vbs

Filesize
712B

MD5
743d941b53aa7c9f88538992a9c7545a

SHA1
7463e6bd91fd776940bbebf2328e26d4e77f5ac4

SHA256
1c68ecd62c995a0c668e6f21b89d5eafa2dc1f531aa97815d2611f79f91ff64f

SHA512
422a06ad0cded86e41442ce8356c7d1fb27292bbf8e3851677741aca2621d1cc48e466d68b685341b6dd7ef156ab916fb4a7a7eaf4f33a92a90dd95e5457c6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dad0d86-3dda-45d4-b9e0-7036c1ad6b61.vbs

Filesize
711B

MD5
5b347ea1f5367e40c9052dde6f19d880

SHA1
9eda57dd5b1c2a33147a2ec87dc2389933723f5c

SHA256
addbb75d792e52b588077f127e364984b28dc7826f35ed5819fbc4ec6ee1456c

SHA512
b7a2c5d1283b72b580bf057867ecef7725138000aa6610cfe6832b1e5066de3d907bc38b8f888097e6f1d2c745b7e8d9757e8bac0f4c9cdd9877c9c2aea0a2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3bd6e2c9-2184-4c45-87d1-261eed98e090.vbs

Filesize
712B

MD5
f58ead39d357cc38d25449c7e36f4580

SHA1
25af1d3699c9cfc6de8bce7d65fa02de4eb8fd05

SHA256
5cdaa86cbe0d45f7d750e39742e0473bc45320528f9c6cea20d8c2064d011cab

SHA512
73c89fc7932df70834f96c3852e19497727b9fff70a0979be6ae0dbd2bd4d354bcc2dd810e109386ad02fbee3695cdb22293135af898402c4b48ac973b7ee11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fdf831a-b9e1-4f96-9b6d-7e6629f8e363.vbs

Filesize
712B

MD5
fca0fb9968b44cd1a85962a61059da91

SHA1
5cbe7c8ac8503b8c7f02ebbf46c872ec2bb9fcd9

SHA256
a15e640d703c5847f1fb80dbe77ae506884b12e6b9fb607db081a65288e89e00

SHA512
c6272f510c2ed5b6ebe453b8f4828b266a5e4325f49ae925e7dc3600ed03b2a6e735703731672491ffa8622daca264dfd8e8a8c54f0bc50c95c29e131d8f92a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\862592e4-8c91-4ed4-93cd-48b012d01430.vbs

Filesize
712B

MD5
076193507a5f675828115b9ff45c13be

SHA1
c082abe6377b5c2e31df60bffa389f285e32ca8d

SHA256
a589abe67aca89db42fec7d3d3a28c185b45dc5f752b26fe92a8e5e97e3cf54b

SHA512
2ab40080676d1e05aab79d032c8dc7ad0059c6d0f325244b57bbae44e10b2ffc5aa86deeb6243409f146d947625d00a5f4dd1e7891388eb2e92ca6aefaf92770

Download Submit
C:\Users\Admin\AppData\Local\Temp\a73b4919-18f2-4e20-ad89-4eab0e862967.vbs

Filesize
711B

MD5
eb26639473de9869411f8fdf9c0517e3

SHA1
8ac71fd8f7f440b36cec3fb76f8ef21b240fcf45

SHA256
1dc752c330f79089ffe67a7db4b88e9946c0688a668eb8f652d24efa66105262

SHA512
4527fc8a42bc8c4b437264ccc2278203d182295b417d278860a4a10ce3d21d64eff346574ddb621eadb6c09979ee39c5587927139348b28aedb1aceab75c8c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\df057076-7b37-489a-bc6f-dc8b78420692.vbs

Filesize
712B

MD5
2cc16a687f3461781056c5814837caac

SHA1
0fad919d3056971b15bc816aec73415fc19c05ad

SHA256
5aee96a9220da2d61e1062da8a39ce80b6ee6b6da34e463b769139440b8bebf6

SHA512
83edcc3d4a27d5f896e832f0bd61223d16b85a5a9d1735ee28e324baf5851a206d6154d830f95ae0376334902264a6d7df484f09c2f9e3596b47835c17958e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f16c3fac-91f9-459a-8680-a3caa902418a.vbs

Filesize
712B

MD5
beee7b478e709d25f483d92975af5c23

SHA1
20011046fd3dc07631931beab0aa9509cff15b72

SHA256
046e00a2e91e2ef7d00fc2baf9c0916ad6b277a2b19de40dfa238f776fa5b1bd

SHA512
f7312aa570747d31782dc0bb69bcd1aa28a3de0f819c3dea224af36f84f9137d1e06587542f8e6fbeac61e54571ca15a1029822b4822d98447edd49ca33bc674

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
416B

MD5
5d1fab03f3d501b4702eeeceb10a383c

SHA1
5f89d46571715a9dbfd18a1c603b8d079ff92efe

SHA256
25cc636ae332f79d8b37336b721c8dc095ea28fa36543071e09ff80c99c93015

SHA512
875428e52001d3b8d615d503c71e272522ab6d8fdb658e21fd2fba9dbd676b60bea6609b61d48c1d790003884742e6be7a5210d0cb5831e39a37ecc8c78c6a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbe42f0a-2f13-4a66-996f-b3a4749776bf.vbs

Filesize
712B

MD5
99c98048c575460f2263b1ec3c750107

SHA1
482cb30af4d7a925d39a1922ec7e453e0b86c1f7

SHA256
199ef1c03eb9f309ec7c7f58b8cccf3c2be376db937941e8176ffaefaede6dd1

SHA512
17d0bbcfe80731caac9cc4cff70e741cf6f22749f24b39a4982429bca74e14e7353c9460f1062a5dd2818f21aff888073da05f81219c49013f31686bfd4a67a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e09e88f867616d0f3639936a6fef7df5

SHA1
a4c0877cafc09a477e6fa20c5bea51803ed4230d

SHA256
0f8432d79be1f9db9c7f71b7d80545fac4f66d21b2bc465109029206321d5fa7

SHA512
d473affd0f08cabaa5ce5c13828cf42fe611fa0cd0f3ab582014511b8c06d5e2962f8a0589691ec6cbfaae4e11eca586882d7bbfebd22f4b49060daabf37cd4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\THLRK03YV4BISGGSU54I.temp

Filesize
7KB

MD5
3a42d1dc23a12516b15772fb1992590c

SHA1
d053bfe3129e04cc58b062bb0a0262d73ad83cad

SHA256
4a5c2b16802527e0a2a7778952ea6a92269089689dfaf0bfdacd1a27942210c1

SHA512
b1d06b81ab15c1a7bcbb59b7ca44fa62a415886d50c6c0ebd22b4d184c848b6090991d31f0cf1fb0e2a19f7a8050c3c067d68bd5bc6561459eb3b231507b42a9

Download Submit
C:\Windows\System32\print\sppsvc.exe

Filesize
1.5MB

MD5
a85fc237c6a4ce58422363d3ab559e20

SHA1
581ad77fe54d760329df7be48163a65ce030b179

SHA256
ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474

SHA512
0345f6998a7c0f77264e7dc6d984bbbf4a08534c00a5bcedf25534c3dde1d2987394338288e192f251cdb06a27b26b582d50e3a0f7c3bfddfa6c5da395f1f19f

Download Submit
memory/1420-94-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/1604-145-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/1604-150-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/1912-115-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2692-11-0x0000000000620000-0x0000000000630000-memory.dmp

Filesize
64KB

Download
memory/2692-0-0x000007FEF6533000-0x000007FEF6534000-memory.dmp

Filesize
4KB

Download
memory/2692-24-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-20-0x0000000000840000-0x000000000084C000-memory.dmp

Filesize
48KB

Download
memory/2692-78-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-18-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/2692-1-0x00000000008C0000-0x0000000000A3E000-memory.dmp

Filesize
1.5MB

Download
memory/2692-17-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/2692-16-0x0000000000810000-0x0000000000818000-memory.dmp

Filesize
32KB

Download
memory/2692-15-0x0000000000800000-0x000000000080A000-memory.dmp

Filesize
40KB

Download
memory/2692-14-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/2692-13-0x0000000000640000-0x000000000064A000-memory.dmp

Filesize
40KB

Download
memory/2692-12-0x0000000000630000-0x0000000000638000-memory.dmp

Filesize
32KB

Download
memory/2692-21-0x0000000000850000-0x0000000000858000-memory.dmp

Filesize
32KB

Download
memory/2692-2-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-3-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2692-10-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2692-9-0x0000000002210000-0x000000000221C000-memory.dmp

Filesize
48KB

Download
memory/2692-4-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2692-8-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/2692-5-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2692-7-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2692-6-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/2712-93-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2920-178-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2920-177-0x0000000000B80000-0x0000000000CFE000-memory.dmp

Filesize
1.5MB

Download
memory/2932-201-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/3060-189-0x0000000001350000-0x00000000014CE000-memory.dmp

Filesize
1.5MB

Download