dcrat | b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Size

2.2MB
MD5

734f6915b07742d30bc125ff73f87d80
SHA1

f5bbfbc8c5bd6ddb6329c3fca96261c787de0317
SHA256

b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2
SHA512

e9707ef0e75d94bea0c442cffde33aa74748b4c35471e45bab417dc5265f6ddb95e5d8edb55bf347a6a1d4881e50d85a75852f1acedf78a8892f44c708cee579
SSDEEP

49152:ssSHlG56vO0T3/Nh/ptuw/C3TqGaDxr1NcWTMUvif:sLlK6d3/Nh/bV/Oq3Dxp2RUG

Score

10^/10

dcrat defense_evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 43 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1076	schtasks.exe
		2016	schtasks.exe
		2812	schtasks.exe
		1180	schtasks.exe
		2592	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
		1756	schtasks.exe
		2864	schtasks.exe
		2248	schtasks.exe
		1772	schtasks.exe
		1972	schtasks.exe
		2656	schtasks.exe
		1236	schtasks.exe
		528	schtasks.exe
		2612	schtasks.exe
		1340	schtasks.exe
		1296	schtasks.exe
		2220	schtasks.exe
		2392	schtasks.exe
		2344	schtasks.exe
		1372	schtasks.exe
		2216	schtasks.exe
		2992	schtasks.exe
		2156	schtasks.exe
		1788	schtasks.exe
		2564	schtasks.exe
		2272	schtasks.exe
		2476	schtasks.exe
		2824	schtasks.exe
		2184	schtasks.exe
		1352	schtasks.exe
		2372	schtasks.exe
		844	schtasks.exe
		800	schtasks.exe
		2408	schtasks.exe
		2736	schtasks.exe
		2424	schtasks.exe
		2608	schtasks.exe
		1656	schtasks.exe
		484	schtasks.exe
		2556	schtasks.exe
		1904	schtasks.exe
		584	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 14 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\ja-JP\\wininit.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\MEIPreload\\csrss.exe\", \"C:\\Users\\All Users\\Desktop\\lsm.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\dwm.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\Users\\Default User\\winlogon.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\sppsvc.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dllhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\ja-JP\\wininit.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\spoolsv.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\System.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\services.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\ja-JP\\wininit.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\MEIPreload\\csrss.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2796	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2796	schtasks.exe	30

UAC bypass 3 TTPs 9 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2492-1-0x0000000001190000-0x00000000013BE000-memory.dmp	dcrat
behavioral1/files/0x00050000000193d4-38.dat	dcrat
behavioral1/files/0x00070000000186c8-84.dat	dcrat
behavioral1/files/0x000b0000000193d4-164.dat	dcrat
behavioral1/files/0x0008000000019da4-211.dat	dcrat
behavioral1/memory/616-236-0x0000000000B50000-0x0000000000D7E000-memory.dmp	dcrat
behavioral1/memory/1800-247-0x00000000012D0000-0x00000000014FE000-memory.dmp	dcrat
behavioral1/memory/1548-259-0x00000000002C0000-0x00000000004EE000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe

Executes dropped EXE 2 IoCs

pid	Process
616	lsm.exe
1800	lsm.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\spoolsv.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\services.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Sidebar\\ja-JP\\wininit.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\sppsvc.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\sppsvc.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\System.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Cursors\\dwm.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\winlogon.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dllhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dllhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\spoolsv.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\System.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\MEIPreload\\csrss.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\MEIPreload\\csrss.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\All Users\\Desktop\\lsm.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\services.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Cursors\\dwm.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Sidebar\\ja-JP\\wininit.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\All Users\\Desktop\\lsm.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\RCXBC3A.tmp	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXC248.tmp	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXC2B6.tmp	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\RCXC942.tmp	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\RCXCB45.tmp	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\0a1fd5f707cd16	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\csrss.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\56085415360792	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\886983d96e3d3e	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\RCXBC3B.tmp	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\RCXC941.tmp	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\RCXCBB4.tmp	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\csrss.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\sppsvc.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\wininit.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\sppsvc.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\wininit.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\wininit.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files\7-Zip\Lang\wininit.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files\7-Zip\Lang\56085415360792	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cursors\dwm.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Windows\Cursors\dwm.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Windows\Cursors\6cb0b6c459d5d3	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Windows\servicing\Sessions\sppsvc.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Windows\Cursors\RCXB551.tmp	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Windows\Cursors\RCXB552.tmp	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2656	schtasks.exe
2372	schtasks.exe
2424	schtasks.exe
2864	schtasks.exe
1772	schtasks.exe
844	schtasks.exe
2408	schtasks.exe
2156	schtasks.exe
1788	schtasks.exe
2216	schtasks.exe
2184	schtasks.exe
2992	schtasks.exe
1904	schtasks.exe
2556	schtasks.exe
2248	schtasks.exe
1236	schtasks.exe
2344	schtasks.exe
2736	schtasks.exe
584	schtasks.exe
2392	schtasks.exe
2608	schtasks.exe
1352	schtasks.exe
1180	schtasks.exe
2476	schtasks.exe
1076	schtasks.exe
2812	schtasks.exe
2564	schtasks.exe
2612	schtasks.exe
484	schtasks.exe
1296	schtasks.exe
1756	schtasks.exe
2824	schtasks.exe
528	schtasks.exe
2592	schtasks.exe
2016	schtasks.exe
800	schtasks.exe
2272	schtasks.exe
1972	schtasks.exe
1340	schtasks.exe
1656	schtasks.exe
1372	schtasks.exe
2220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe
616	lsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Token: SeDebugPrivilege	616	lsm.exe
Token: SeDebugPrivilege	1800	lsm.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 1032	2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe	75
PID 2492 wrote to memory of 1032	2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe	75
PID 2492 wrote to memory of 1032	2492	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe	75
PID 1032 wrote to memory of 2440	1032	cmd.exe	77
PID 1032 wrote to memory of 2440	1032	cmd.exe	77
PID 1032 wrote to memory of 2440	1032	cmd.exe	77
PID 1032 wrote to memory of 616	1032	cmd.exe	78
PID 1032 wrote to memory of 616	1032	cmd.exe	78
PID 1032 wrote to memory of 616	1032	cmd.exe	78
PID 616 wrote to memory of 1296	616	lsm.exe	79
PID 616 wrote to memory of 1296	616	lsm.exe	79
PID 616 wrote to memory of 1296	616	lsm.exe	79
PID 616 wrote to memory of 2820	616	lsm.exe	80
PID 616 wrote to memory of 2820	616	lsm.exe	80
PID 616 wrote to memory of 2820	616	lsm.exe	80
PID 1296 wrote to memory of 1800	1296	WScript.exe	81
PID 1296 wrote to memory of 1800	1296	WScript.exe	81
PID 1296 wrote to memory of 1800	1296	WScript.exe	81
PID 1800 wrote to memory of 1920	1800	lsm.exe	82
PID 1800 wrote to memory of 1920	1800	lsm.exe	82
PID 1800 wrote to memory of 1920	1800	lsm.exe	82
PID 1800 wrote to memory of 2596	1800	lsm.exe	83
PID 1800 wrote to memory of 2596	1800	lsm.exe	83
PID 1800 wrote to memory of 2596	1800	lsm.exe	83

System policy modification 1 TTPs 9 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
"C:\Users\Admin\AppData\Local\Temp\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WxnR6kM1dC.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2440
- - C:\Users\All Users\Desktop\lsm.exe
    "C:\Users\All Users\Desktop\lsm.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:616
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\991d24f5-7e22-4c50-93bc-423cf27983b7.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1296
    - - C:\Users\All Users\Desktop\lsm.exe
        
        "C:\Users\All Users\Desktop\lsm.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1800
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\952c695e-e80e-4776-bac9-063c5c8e266a.vbs"
        6⤵
        
        PID:1920
        
        C:\Users\All Users\Desktop\lsm.exe
        
        "C:\Users\All Users\Desktop\lsm.exe"
        7⤵
        
        PID:1548
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5ead9be-5b13-414a-8dc3-a93305e26594.vbs"
        6⤵
        
        PID:2596
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbbf3503-64bd-4c0f-bc60-bb4ad2968d5d.vbs"
      4⤵
      PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Cursors\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2Nb" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2Nb" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RCXB34D.tmp

Filesize
2.2MB

MD5
6c14a33edfe0080e56e6021876c4c667

SHA1
7cfe4f6c021fe34138b31d511ba223462ddfd982

SHA256
86c565afecddd3edb1f2263d3376c450c114804c708569713ebfccb01a66575d

SHA512
df5d4a6deb8dee86db90edaced9aabbdc7050e5bb54bbfd5c4a3a3774139e93ae21b40b7434a7231ed9d7864cb9adf98df0beb40ada8c03cab8db17aae1c27c6

Download Submit
C:\Program Files\7-Zip\Lang\wininit.exe

Filesize
2.2MB

MD5
051e0e360a56fa87910a8d5d5bb53cf9

SHA1
7ed78f3906f1ef122d3cc594b152671e5274e59a

SHA256
e7ac2cf9886bea229b339eb6a9df4f58fa56e5f309bd111c92a6b189af970669

SHA512
855835134ac1bc2401a57e36dd2adc0305ce111595de3be9139295fea2132fc8388dc3d0e5e810402a9179ba8e16cc296dced1d5b32257f5e658578c45913d3f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\csrss.exe

Filesize
2.2MB

MD5
9c163224ba457022a68b69ad2d00a2ac

SHA1
d048d2a3f7add96f956ace21f7774b236c25c2a9

SHA256
fec26f04608010107231051b40ed714d84c6b59c255c3d246556908c7aa5de2e

SHA512
5f5e63b9e294b964cfebac320226ef4259f0a815e4c9bd99dffb5769c694c11b9b2ba5679fa78617ecefa942a275bab34b4544b04afe0469d24259cd1dd1748d

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe

Filesize
2.2MB

MD5
734f6915b07742d30bc125ff73f87d80

SHA1
f5bbfbc8c5bd6ddb6329c3fca96261c787de0317

SHA256
b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2

SHA512
e9707ef0e75d94bea0c442cffde33aa74748b4c35471e45bab417dc5265f6ddb95e5d8edb55bf347a6a1d4881e50d85a75852f1acedf78a8892f44c708cee579

Download Submit
C:\Users\Admin\AppData\Local\Temp\952c695e-e80e-4776-bac9-063c5c8e266a.vbs

Filesize
710B

MD5
cdbfedc9b88a4690a776fd056d0adf3e

SHA1
e3073102ed17ea464a0edd76b1ad25c642f09b17

SHA256
6410c4180750efa584c3cf90a93c9f05cdb434fd8fd2f8beb8f7aaa412cd4fe9

SHA512
63ee682db028bc4a9ec43c53aa5704758df45653b3851a020f0afc7aa8ee332e9759df7bac341a2fefc0f939be1e0e644331130d1b390091a7e6201c445d1111

Download Submit
C:\Users\Admin\AppData\Local\Temp\991d24f5-7e22-4c50-93bc-423cf27983b7.vbs

Filesize
709B

MD5
aa28cb1fdef63663e0c03efd3ab97b36

SHA1
8158daf085b7f957ab78b7c83416bb48ab68e259

SHA256
7b78a8eb11dc38a8f8559b0674ab85113acd2634ec0ee9c50a5af77f19c64763

SHA512
e5e1d53c1ca5ec411c7b4d6461b90983da776a4d6fb47c6d73866774d975fbe9867f3d623407bcedba22e72ede121aef465e8b5edd83b9a08230d6b987f2d7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\WxnR6kM1dC.bat

Filesize
199B

MD5
946306fb6709d0da50da38a0bcd8712e

SHA1
fd198b8dd5e6aa21405189afd243e9c6e12c42de

SHA256
7d4db49a4a3c69023d24805ace897ca2690c4fe8528169ade0e69425d42ea231

SHA512
d830a0f97a90b95206f37a87b1552aea74e49ea38746502d602a65c74b0121ea2355b50758c14f83a3c242fb4e689ce31c51c3b3e2b378ea785396749bcf33c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbbf3503-64bd-4c0f-bc60-bb4ad2968d5d.vbs

Filesize
486B

MD5
6893502e7f3a07c56b6ee470664eca21

SHA1
ec81fc4d7e0c7b893002a8f9a31d02cd479355e3

SHA256
bdc9f481b11a8dfba1940f02739c8ae495b6926e1d0926d547db088b6c4165aa

SHA512
921ded10b80b1d77aa112d517a63f2d9895fd2a975e040dccb9acd186f148ba50de1f2b6881bc6b39379e4d1f211537d575215258f795dbab889e0d9d322c1ab

Download Submit
memory/616-236-0x0000000000B50000-0x0000000000D7E000-memory.dmp

Filesize
2.2MB

Download
memory/1548-259-0x00000000002C0000-0x00000000004EE000-memory.dmp

Filesize
2.2MB

Download
memory/1800-247-0x00000000012D0000-0x00000000014FE000-memory.dmp

Filesize
2.2MB

Download
memory/2492-10-0x0000000001180000-0x0000000001188000-memory.dmp

Filesize
32KB

Download
memory/2492-28-0x000000001AF20000-0x000000001AF2C000-memory.dmp

Filesize
48KB

Download
memory/2492-13-0x000000001A7D0000-0x000000001A7DC000-memory.dmp

Filesize
48KB

Download
memory/2492-14-0x000000001A7F0000-0x000000001A7F8000-memory.dmp

Filesize
32KB

Download
memory/2492-15-0x000000001A800000-0x000000001A80C000-memory.dmp

Filesize
48KB

Download
memory/2492-16-0x000000001ACE0000-0x000000001ACE8000-memory.dmp

Filesize
32KB

Download
memory/2492-18-0x000000001AD70000-0x000000001AD82000-memory.dmp

Filesize
72KB

Download
memory/2492-19-0x000000001ADA0000-0x000000001ADAC000-memory.dmp

Filesize
48KB

Download
memory/2492-20-0x000000001AEA0000-0x000000001AEAC000-memory.dmp

Filesize
48KB

Download
memory/2492-21-0x000000001AEB0000-0x000000001AEBC000-memory.dmp

Filesize
48KB

Download
memory/2492-22-0x000000001AEE0000-0x000000001AEEA000-memory.dmp

Filesize
40KB

Download
memory/2492-23-0x000000001AEC0000-0x000000001AECE000-memory.dmp

Filesize
56KB

Download
memory/2492-25-0x000000001AEF0000-0x000000001AEFE000-memory.dmp

Filesize
56KB

Download
memory/2492-24-0x000000001AED0000-0x000000001AED8000-memory.dmp

Filesize
32KB

Download
memory/2492-26-0x000000001AF00000-0x000000001AF0C000-memory.dmp

Filesize
48KB

Download
memory/2492-12-0x000000001A7C0000-0x000000001A7CA000-memory.dmp

Filesize
40KB

Download
memory/2492-27-0x000000001AF10000-0x000000001AF18000-memory.dmp

Filesize
32KB

Download
memory/2492-29-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-11-0x000000001A7E0000-0x000000001A7F0000-memory.dmp

Filesize
64KB

Download
memory/2492-0-0x000007FEF5393000-0x000007FEF5394000-memory.dmp

Filesize
4KB

Download
memory/2492-9-0x0000000001170000-0x000000000117C000-memory.dmp

Filesize
48KB

Download
memory/2492-202-0x000007FEF5393000-0x000007FEF5394000-memory.dmp

Filesize
4KB

Download
memory/2492-8-0x0000000001150000-0x0000000001166000-memory.dmp

Filesize
88KB

Download
memory/2492-226-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-7-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/2492-233-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-6-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/2492-5-0x0000000000BA0000-0x0000000000BBC000-memory.dmp

Filesize
112KB

Download
memory/2492-4-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download
memory/2492-3-0x0000000000340000-0x000000000034E000-memory.dmp

Filesize
56KB

Download
memory/2492-2-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-1-0x0000000001190000-0x00000000013BE000-memory.dmp

Filesize
2.2MB

Download