dcrat | a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
05-02-2025 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Size

1.5MB
MD5

a7a220cf43d05ee623ddbad2968f41a0
SHA1

56ffc53df323457898d45a277bb765f1ebb830e5
SHA256

a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638
SHA512

6c4b5515d975bd861d4f2f6719b28e51e5b3b3f0f7f084d49ddd3283ffb91375c886e833c237b1c2419811ee230605713f5f200ee7f78a6e3cd407f57b579719
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 8 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2876	schtasks.exe
		3036	schtasks.exe
		2732	schtasks.exe
		1688	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File created	C:\Windows\System32\msswch\56085415360792		a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
		2820	schtasks.exe
		2624	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\msswch\\wininit.exe\", \"C:\\Windows\\System32\\WMADMOD\\dllhost.exe\", \"C:\\Windows\\System32\\IasMigPlugin\\winlogon.exe\", \"C:\\Windows\\System32\\samsrv\\dllhost.exe\", \"C:\\Users\\Default User\\winlogon.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\msswch\\wininit.exe\", \"C:\\Windows\\System32\\WMADMOD\\dllhost.exe\", \"C:\\Windows\\System32\\IasMigPlugin\\winlogon.exe\", \"C:\\Windows\\System32\\samsrv\\dllhost.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\msswch\\wininit.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\msswch\\wininit.exe\", \"C:\\Windows\\System32\\WMADMOD\\dllhost.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\msswch\\wininit.exe\", \"C:\\Windows\\System32\\WMADMOD\\dllhost.exe\", \"C:\\Windows\\System32\\IasMigPlugin\\winlogon.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\msswch\\wininit.exe\", \"C:\\Windows\\System32\\WMADMOD\\dllhost.exe\", \"C:\\Windows\\System32\\IasMigPlugin\\winlogon.exe\", \"C:\\Windows\\System32\\samsrv\\dllhost.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2720	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2720	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2720	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2720	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2720	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2720	schtasks.exe	31

UAC bypass 3 TTPs 33 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2908	powershell.exe
2924	powershell.exe
2772	powershell.exe
2964	powershell.exe
1460	powershell.exe
772	powershell.exe
2948	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe

Executes dropped EXE 10 IoCs

pid	Process
2340	dllhost.exe
2300	dllhost.exe
2188	dllhost.exe
948	dllhost.exe
516	dllhost.exe
1600	dllhost.exe
2884	dllhost.exe
2968	dllhost.exe
2268	dllhost.exe
2440	dllhost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\WMADMOD\\dllhost.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\WMADMOD\\dllhost.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\IasMigPlugin\\winlogon.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\samsrv\\dllhost.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\msswch\\wininit.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\msswch\\wininit.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\IasMigPlugin\\winlogon.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\samsrv\\dllhost.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\IasMigPlugin\cc11b995f2a76d	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File created	C:\Windows\System32\samsrv\5940a34987c991	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File opened for modification	C:\Windows\System32\samsrv\RCX1402.tmp	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File created	C:\Windows\System32\WMADMOD\dllhost.exe	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File created	C:\Windows\System32\samsrv\dllhost.exe	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File opened for modification	C:\Windows\System32\msswch\RCXDE7.tmp	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File opened for modification	C:\Windows\System32\WMADMOD\dllhost.exe	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File opened for modification	C:\Windows\System32\msswch\wininit.exe	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File created	C:\Windows\System32\msswch\56085415360792	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File created	C:\Windows\System32\IasMigPlugin\winlogon.exe	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File opened for modification	C:\Windows\System32\IasMigPlugin\winlogon.exe	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File created	C:\Windows\System32\msswch\wininit.exe	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File created	C:\Windows\System32\WMADMOD\5940a34987c991	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File opened for modification	C:\Windows\System32\WMADMOD\RCXFEA.tmp	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File opened for modification	C:\Windows\System32\IasMigPlugin\RCX11EE.tmp	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File opened for modification	C:\Windows\System32\samsrv\dllhost.exe	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3036	schtasks.exe
2732	schtasks.exe
2820	schtasks.exe
2624	schtasks.exe
1688	schtasks.exe
2876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
2948	powershell.exe
2908	powershell.exe
1460	powershell.exe
2964	powershell.exe
2924	powershell.exe
2772	powershell.exe
772	powershell.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2340	dllhost.exe
2300	dllhost.exe
2300	dllhost.exe
2300	dllhost.exe
2300	dllhost.exe
2300	dllhost.exe
2300	dllhost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2340	dllhost.exe
Token: SeDebugPrivilege	2300	dllhost.exe
Token: SeDebugPrivilege	2188	dllhost.exe
Token: SeDebugPrivilege	948	dllhost.exe
Token: SeDebugPrivilege	516	dllhost.exe
Token: SeDebugPrivilege	1600	dllhost.exe
Token: SeDebugPrivilege	2884	dllhost.exe
Token: SeDebugPrivilege	2968	dllhost.exe
Token: SeDebugPrivilege	2268	dllhost.exe
Token: SeDebugPrivilege	2440	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2948	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	38
PID 2024 wrote to memory of 2948	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	38
PID 2024 wrote to memory of 2948	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	38
PID 2024 wrote to memory of 2908	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	39
PID 2024 wrote to memory of 2908	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	39
PID 2024 wrote to memory of 2908	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	39
PID 2024 wrote to memory of 2924	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	40
PID 2024 wrote to memory of 2924	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	40
PID 2024 wrote to memory of 2924	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	40
PID 2024 wrote to memory of 2964	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	41
PID 2024 wrote to memory of 2964	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	41
PID 2024 wrote to memory of 2964	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	41
PID 2024 wrote to memory of 2772	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	43
PID 2024 wrote to memory of 2772	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	43
PID 2024 wrote to memory of 2772	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	43
PID 2024 wrote to memory of 1460	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	44
PID 2024 wrote to memory of 1460	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	44
PID 2024 wrote to memory of 1460	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	44
PID 2024 wrote to memory of 772	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	45
PID 2024 wrote to memory of 772	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	45
PID 2024 wrote to memory of 772	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	45
PID 2024 wrote to memory of 2340	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	52
PID 2024 wrote to memory of 2340	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	52
PID 2024 wrote to memory of 2340	2024	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	52
PID 2340 wrote to memory of 276	2340	dllhost.exe	53
PID 2340 wrote to memory of 276	2340	dllhost.exe	53
PID 2340 wrote to memory of 276	2340	dllhost.exe	53
PID 2340 wrote to memory of 2320	2340	dllhost.exe	54
PID 2340 wrote to memory of 2320	2340	dllhost.exe	54
PID 2340 wrote to memory of 2320	2340	dllhost.exe	54
PID 276 wrote to memory of 2300	276	WScript.exe	55
PID 276 wrote to memory of 2300	276	WScript.exe	55
PID 276 wrote to memory of 2300	276	WScript.exe	55
PID 2300 wrote to memory of 2604	2300	dllhost.exe	56
PID 2300 wrote to memory of 2604	2300	dllhost.exe	56
PID 2300 wrote to memory of 2604	2300	dllhost.exe	56
PID 2300 wrote to memory of 2660	2300	dllhost.exe	57
PID 2300 wrote to memory of 2660	2300	dllhost.exe	57
PID 2300 wrote to memory of 2660	2300	dllhost.exe	57
PID 2604 wrote to memory of 2188	2604	WScript.exe	58
PID 2604 wrote to memory of 2188	2604	WScript.exe	58
PID 2604 wrote to memory of 2188	2604	WScript.exe	58
PID 2188 wrote to memory of 944	2188	dllhost.exe	59
PID 2188 wrote to memory of 944	2188	dllhost.exe	59
PID 2188 wrote to memory of 944	2188	dllhost.exe	59
PID 2188 wrote to memory of 1508	2188	dllhost.exe	60
PID 2188 wrote to memory of 1508	2188	dllhost.exe	60
PID 2188 wrote to memory of 1508	2188	dllhost.exe	60
PID 944 wrote to memory of 948	944	WScript.exe	61
PID 944 wrote to memory of 948	944	WScript.exe	61
PID 944 wrote to memory of 948	944	WScript.exe	61
PID 948 wrote to memory of 2484	948	dllhost.exe	62
PID 948 wrote to memory of 2484	948	dllhost.exe	62
PID 948 wrote to memory of 2484	948	dllhost.exe	62
PID 948 wrote to memory of 2432	948	dllhost.exe	63
PID 948 wrote to memory of 2432	948	dllhost.exe	63
PID 948 wrote to memory of 2432	948	dllhost.exe	63
PID 2484 wrote to memory of 516	2484	WScript.exe	64
PID 2484 wrote to memory of 516	2484	WScript.exe	64
PID 2484 wrote to memory of 516	2484	WScript.exe	64
PID 516 wrote to memory of 1700	516	dllhost.exe	65
PID 516 wrote to memory of 1700	516	dllhost.exe	65
PID 516 wrote to memory of 1700	516	dllhost.exe	65
PID 516 wrote to memory of 2280	516	dllhost.exe	66

System policy modification 1 TTPs 33 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
"C:\Users\Admin\AppData\Local\Temp\a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\msswch\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WMADMOD\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\IasMigPlugin\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\samsrv\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\System32\samsrv\dllhost.exe
  "C:\Windows\System32\samsrv\dllhost.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2340
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3ce510f-8c0d-47c0-9f12-c21bc8a4b295.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:276
  - - C:\Windows\System32\samsrv\dllhost.exe
      C:\Windows\System32\samsrv\dllhost.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2300
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b68d5dc1-7749-4fe2-b2c8-7585f0767b83.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\System32\samsrv\dllhost.exe
        
        C:\Windows\System32\samsrv\dllhost.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f824eee-dc56-4c72-b27b-8386d6f1047c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\System32\samsrv\dllhost.exe
        
        C:\Windows\System32\samsrv\dllhost.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36ff3fdd-ba31-4eb7-82c9-4d83a29a48be.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\System32\samsrv\dllhost.exe
        
        C:\Windows\System32\samsrv\dllhost.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7bf5858-862a-4bc0-993d-05bfd6500e55.vbs"
        11⤵
        
        PID:1700
        
        C:\Windows\System32\samsrv\dllhost.exe
        
        C:\Windows\System32\samsrv\dllhost.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cc23588-cb88-4080-9735-b2848488bbcf.vbs"
        13⤵
        
        PID:1744
        
        C:\Windows\System32\samsrv\dllhost.exe
        
        C:\Windows\System32\samsrv\dllhost.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d444aba0-7bf6-49a6-83a3-ec5aed078e2b.vbs"
        15⤵
        
        PID:2120
        
        C:\Windows\System32\samsrv\dllhost.exe
        
        C:\Windows\System32\samsrv\dllhost.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b82a469-d7f8-4654-a317-a24c62d824ee.vbs"
        17⤵
        
        PID:828
        
        C:\Windows\System32\samsrv\dllhost.exe
        
        C:\Windows\System32\samsrv\dllhost.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c35d8cc-93a7-4578-982d-9ac0df39f20d.vbs"
        19⤵
        
        PID:1920
        
        C:\Windows\System32\samsrv\dllhost.exe
        
        C:\Windows\System32\samsrv\dllhost.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5423a553-b180-40f6-96bb-a0f09fda8306.vbs"
        21⤵
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f505564-4803-4b71-bc19-3d04c820bf70.vbs"
        21⤵
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12b87e08-e57e-4083-8747-b9cbf40eaee5.vbs"
        19⤵
        
        PID:1128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdbf92a6-a4f7-4631-bf0e-16cd8e181193.vbs"
        17⤵
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9538133-dba8-4415-b535-de78eef3c04e.vbs"
        15⤵
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42dc5dc9-733c-4461-88fe-f6c8a0a83774.vbs"
        13⤵
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21b285c1-d330-4d6e-a5e2-4f3e661b4593.vbs"
        11⤵
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2030ff17-15e0-48d2-a287-a6db01a81436.vbs"
        9⤵
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d05df50-0e45-4dd5-bf76-7fb9c1f766f2.vbs"
        7⤵
        
        PID:1508
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48dacade-c02d-45e3-ac45-a2a43b6744fd.vbs"
        5⤵
        
        PID:2660
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5bef467-2dcb-4ccc-bbf3-3c9592c0e9a9.vbs"
    3⤵
    PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\msswch\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\WMADMOD\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\IasMigPlugin\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\samsrv\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\36ff3fdd-ba31-4eb7-82c9-4d83a29a48be.vbs

Filesize
713B

MD5
4f3565c392f85695fa0350d50c409a36

SHA1
a0b8943ab3cde1ede40492c2ea3a5442d5777f59

SHA256
802aa4a39dbc2c097094592ed78cb8e5aa84ef74288270160d89189ea3f11833

SHA512
747432a388aab2b4583a75911d616a0c81b04c4b43a2854710a08fd0cd6654a6da6bc325715bfc594d63b0a7d10a0a7598d85d5a8511d940a338c1966e9430c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5423a553-b180-40f6-96bb-a0f09fda8306.vbs

Filesize
714B

MD5
093440ef4917e3a6b39eece75838d122

SHA1
5c2e6ef9c28c0be13b6e78a9d3fc12cd114418cf

SHA256
8c7b479930d18952902281d73645493c9b7a456a5bfeaa6fc2b15444525aa858

SHA512
11fbd7c621664ecfe28081ebdd7973b785b94143eec2c7062588faced240b98a131cb5ce5a5bf1f74edcff0bd0d538f45c560235da45e00a797315889fb21aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b82a469-d7f8-4654-a317-a24c62d824ee.vbs

Filesize
714B

MD5
a609e518611a79ac6c40428db62666d6

SHA1
79ed08f5f7e3fa4e22683f970bbe03158c246572

SHA256
ce6e54747f9d16ea72ab7d38084c8bed2a9ab141e2473be423271f59cf5cab81

SHA512
ec9350376064ce2c9226df8f9e3aa22067ab3c81310d37bcd90c92a99503d8ef60b473af986ca40785139553046fbc91e8f3387e727196638cdfa2f9d7eab9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c35d8cc-93a7-4578-982d-9ac0df39f20d.vbs

Filesize
714B

MD5
f42c1bd54c7940f3f5d7308102544f44

SHA1
b54893911049bcbc8582c9398b003553cbd0e1d4

SHA256
f4867447bf61e721e47449d69a2923b772ecf1b81ebe850a9b538271ad536fa4

SHA512
ddf8b4593b676126dac307f4cc5e79101a5cd81e29329caba65e325c18635f87b2468abe3ae4ccdad3d206591e1d40ac1fc02954377fbc4e938faee6d3671d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f824eee-dc56-4c72-b27b-8386d6f1047c.vbs

Filesize
714B

MD5
f8030d41078b80ced75698cd76fd2ece

SHA1
7ece848f4056118ef697edf06bfd3f839d7ac84f

SHA256
567ec475f8eefcd90b5101ed193c7cc86940449a27455712dabc23af603e197b

SHA512
bbc9fc72c9c8f2a9b63c65ecbb251c33d6d455688a08a6d67d758d58409993d63b4941135e92c22b7696a161d7f3e9d0d6f25e279fe3896b1001f2ac6ca62699

Download Submit
C:\Users\Admin\AppData\Local\Temp\9cc23588-cb88-4080-9735-b2848488bbcf.vbs

Filesize
714B

MD5
a287859bc9784a2d30b0b813caead22c

SHA1
28754d3353a935becf980693f0bc0f181545165b

SHA256
6a42dd13c7b083a83e0d68422eb0127cbbe70493a85815f39cc2c8fab304fd3b

SHA512
696b7317f138ee0d7e45e18aaf247067b91e3decbee60acc4d595b12bce6b5eb560d850abb6805b5482c139abc795691d7eb9a64eabe6aa6eae1c2d3adfa7dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5bef467-2dcb-4ccc-bbf3-3c9592c0e9a9.vbs

Filesize
490B

MD5
71282c67cf4fccc90c3b21067d734217

SHA1
3d72cd0e4346cead38a245758f8528f4b8c44ee5

SHA256
426f8fafb6d14f1143025b7b36b3f9e9f125d829a2f2d9f7c28b2e9c93e247f8

SHA512
4e41aa31ac399aebfaa39b3f8228aae0dcd78d4bd566ea26f836d79616798395f935ec87fa140bf54bc209b3bd1de01262b8e2a1d716b4c2c15d129ecde32e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\b68d5dc1-7749-4fe2-b2c8-7585f0767b83.vbs

Filesize
714B

MD5
047f6112343d1450f9e929b67b14412c

SHA1
cc0b9dfd0b85f07ca1beabe75923cc36cd75b62d

SHA256
c72713a2a4dedf7bfb8c3d411b6673e652c28fcc9e781ee782c75b8f8b80090b

SHA512
671292ed64e9f85313878826737018af396bc93db0dbb4f9723d8db3bb677faebe9e1c6aa817606f26c33c272c4090d2122e7f701a70606eec9a87f7374f6be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7bf5858-862a-4bc0-993d-05bfd6500e55.vbs

Filesize
713B

MD5
56c7f55be31a5007ae45b63a653af59b

SHA1
1702571ad1d812121119c6c8c58213b941ecfa03

SHA256
114d27b97cf216d769ba99cb1306c637e87ec0906e48c73072c1de6469b74875

SHA512
4c504a5df75676c6fd24f6676f4c0e34fc598715a8c9d545d9b83ad556fa7a4a6fc0fbbebde8e0a718f9a202655ae28e5d3de31413e420cf183d05b2f02659c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d444aba0-7bf6-49a6-83a3-ec5aed078e2b.vbs

Filesize
714B

MD5
a1360b65754dc1b7f4cb102fd76a787d

SHA1
0bb02b5259bfe0edb1bdc5804fcb335213605580

SHA256
0078aa15fa21926f976b81b3b9893c7e5d1fe6d6b7ba85b2744e521a7dde3a70

SHA512
c737ab1b7d4f3db7acf9e896c04846cae32789cb884af2252fa4e2300e01ad236a3f066a5b23089f6f474f75271e1d905ffa9d8d39b98e3a58485630eff45fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3ce510f-8c0d-47c0-9f12-c21bc8a4b295.vbs

Filesize
714B

MD5
2f16cd41093bc3c610b4d594a3f6279b

SHA1
34212ed20455c42ce38d5c39e09d9a6755c7920d

SHA256
d2f19e9044f009b5c0d9111493c9d2bc9647c31fce9276965e95fd38c591c86d

SHA512
e462937084811b2015d9232d2a758f4a76612a32c6e435f0f1da12b7a35aeeffa672eb69ccfba42cd28d665ec98a28dbd409dd090a86db9f8d100891130c601e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
99a848ded66b2c03563da2335f1c095e

SHA1
6c4e0458b9598de5ef869e992715ff632465cb6f

SHA256
b18575788c3abbbf36f12007230bfd400b9eb9c4cb4d2fdd89caebb2eb49967b

SHA512
13983340b930dd9956a1442e34181f8deb291a7f8ccee72ee886f8c8f1f71c1c9cdde3c192f5f62f6bb3ff9870230436782ec5118f5c639db232e31e6b10aacd

Download Submit
C:\Users\Default\winlogon.exe

Filesize
1.5MB

MD5
a7a220cf43d05ee623ddbad2968f41a0

SHA1
56ffc53df323457898d45a277bb765f1ebb830e5

SHA256
a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638

SHA512
6c4b5515d975bd861d4f2f6719b28e51e5b3b3f0f7f084d49ddd3283ffb91375c886e833c237b1c2419811ee230605713f5f200ee7f78a6e3cd407f57b579719

Download Submit
memory/516-171-0x0000000000C10000-0x0000000000D8E000-memory.dmp

Filesize
1.5MB

Download
memory/948-159-0x0000000000060000-0x00000000001DE000-memory.dmp

Filesize
1.5MB

Download
memory/1460-120-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/1600-183-0x0000000000E00000-0x0000000000F7E000-memory.dmp

Filesize
1.5MB

Download
memory/2024-12-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2024-10-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2024-20-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/2024-21-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/2024-24-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-17-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/2024-35-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-16-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

Filesize
32KB

Download
memory/2024-113-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-15-0x0000000000A90000-0x0000000000A9A000-memory.dmp

Filesize
40KB

Download
memory/2024-1-0x0000000000E60000-0x0000000000FDE000-memory.dmp

Filesize
1.5MB

Download
memory/2024-2-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-14-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/2024-13-0x0000000000A70000-0x0000000000A7A000-memory.dmp

Filesize
40KB

Download
memory/2024-3-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/2024-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/2024-11-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2024-18-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/2024-9-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2024-8-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/2024-7-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/2024-6-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2024-5-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2024-4-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/2268-220-0x0000000000870000-0x00000000009EE000-memory.dmp

Filesize
1.5MB

Download
memory/2300-136-0x00000000011B0000-0x000000000132E000-memory.dmp

Filesize
1.5MB

Download
memory/2340-102-0x0000000000B20000-0x0000000000C9E000-memory.dmp

Filesize
1.5MB

Download
memory/2440-232-0x0000000000A50000-0x0000000000BCE000-memory.dmp

Filesize
1.5MB

Download
memory/2440-233-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2884-196-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2884-195-0x0000000001130000-0x00000000012AE000-memory.dmp

Filesize
1.5MB

Download
memory/2948-119-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2968-208-0x0000000000120000-0x000000000029E000-memory.dmp

Filesize
1.5MB

Download