dcrat | c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96e

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\lsm.exe\", \"C:\\Windows\\System32\\srclient\\winlogon.exe\""	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\lsm.exe\", \"C:\\Windows\\System32\\srclient\\winlogon.exe\", \"C:\\Windows\\System32\\wbem\\wmipdskq\\WmiPrvSE.exe\""	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\lsm.exe\", \"C:\\Windows\\System32\\srclient\\winlogon.exe\", \"C:\\Windows\\System32\\wbem\\wmipdskq\\WmiPrvSE.exe\", \"C:\\Windows\\ServiceProfiles\\NetworkService\\Videos\\winlogon.exe\""	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\lsm.exe\", \"C:\\Windows\\System32\\srclient\\winlogon.exe\", \"C:\\Windows\\System32\\wbem\\wmipdskq\\WmiPrvSE.exe\", \"C:\\Windows\\ServiceProfiles\\NetworkService\\Videos\\winlogon.exe\", \"C:\\Windows\\System32\\localsec\\lsm.exe\""	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\lsm.exe\""	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2676	schtasks.exe	31

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2100-1-0x0000000000A50000-0x0000000000B44000-memory.dmp	dcrat
behavioral1/files/0x000500000001925e-20.dat	dcrat
behavioral1/files/0x000b0000000193b4-59.dat	dcrat
behavioral1/memory/776-94-0x0000000000270000-0x0000000000364000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
776	lsm.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\PerfLogs\\Admin\\lsm.exe\""	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\srclient\\winlogon.exe\""	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\wmipdskq\\WmiPrvSE.exe\""	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\ServiceProfiles\\NetworkService\\Videos\\winlogon.exe\""	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\ServiceProfiles\\NetworkService\\Videos\\winlogon.exe\""	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\localsec\\lsm.exe\""	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\PerfLogs\\Admin\\lsm.exe\""	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\srclient\\winlogon.exe\""	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\wmipdskq\\WmiPrvSE.exe\""	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\localsec\\lsm.exe\""	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\System32\localsec\lsm.exe	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File opened for modification	C:\Windows\System32\srclient\winlogon.exe	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File opened for modification	C:\Windows\System32\localsec\RCXE664.tmp	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File opened for modification	C:\Windows\System32\localsec\lsm.exe	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File opened for modification	C:\Windows\System32\srclient\RCXDFE8.tmp	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File opened for modification	C:\Windows\System32\localsec\RCXE663.tmp	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File created	C:\Windows\System32\wbem\wmipdskq\WmiPrvSE.exe	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File created	C:\Windows\System32\wbem\wmipdskq\24dbde2999530ef5fd907494bc374d663924116c	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File created	C:\Windows\System32\localsec\101b941d020240259ca4912829b53995ad543df6	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File opened for modification	C:\Windows\System32\srclient\RCXDFE9.tmp	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File opened for modification	C:\Windows\System32\wbem\wmipdskq\RCXE1EC.tmp	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File opened for modification	C:\Windows\System32\wbem\wmipdskq\RCXE25B.tmp	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File created	C:\Windows\System32\srclient\winlogon.exe	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File created	C:\Windows\System32\srclient\cc11b995f2a76da408ea6a601e682e64743153ad	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File opened for modification	C:\Windows\System32\wbem\wmipdskq\WmiPrvSE.exe	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\NetworkService\Videos\winlogon.exe	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Videos\cc11b995f2a76da408ea6a601e682e64743153ad	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Videos\RCXE45E.tmp	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Videos\RCXE45F.tmp	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Videos\winlogon.exe	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1312	schtasks.exe
2728	schtasks.exe
2560	schtasks.exe
2588	schtasks.exe
2836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2100	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Token: SeDebugPrivilege	776	lsm.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 776	2100	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe	37
PID 2100 wrote to memory of 776	2100	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe	37
PID 2100 wrote to memory of 776	2100	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe	37

System policy modification 1 TTPs 6 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe
"C:\Users\Admin\AppData\Local\Temp\c79981b0074ac288d065d459de654d9b7003f625d76526211805decdaa94f96eN.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2100
- C:\PerfLogs\Admin\lsm.exe
  "C:\PerfLogs\Admin\lsm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\PerfLogs\Admin\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\srclient\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wmipdskq\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\localsec\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry