dcrat | c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28

Analysis

max time kernel
130s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Size

2.5MB
MD5

587e1d2473fea9284918bfbcf9897de2
SHA1

25dc1703e07cc5cc890238cc18d0199effab86be
SHA256

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28
SHA512

1e7313c16f84e618b9d9cea644d95b34cdb339830c5354354f126b85e8772994302abe5d7a2554e62898fb36d38f03c90b012e4060b69f57ce35806e975522fc
SSDEEP

49152:4sg2eGAIciUHLJPXf0fo+goVM6EztdiHGEgE7YsOlTvtq9hzDzqv:4FLHLJPPI9ErnvaYzlAfDzq

Score

10^/10

dcrat evasion execution infostealer persistence rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Users\\Admin\\Videos\\lsass.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\", \"C:\\Windows\\Panther\\actionqueue\\winlogon.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Users\\Admin\\Videos\\lsass.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\", \"C:\\Windows\\Panther\\actionqueue\\winlogon.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\dllhost.exe\", \"C:\\Windows\\AppPatch\\it-IT\\csrss.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Users\\Admin\\Videos\\lsass.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Users\\Admin\\Videos\\lsass.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\", \"C:\\Windows\\Panther\\actionqueue\\winlogon.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\dllhost.exe\", \"C:\\Windows\\AppPatch\\it-IT\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Users\\Admin\\Videos\\lsass.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\", \"C:\\Windows\\Panther\\actionqueue\\winlogon.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\dllhost.exe\", \"C:\\Windows\\AppPatch\\it-IT\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\spoolsv.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Users\\Admin\\Videos\\lsass.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\", \"C:\\Windows\\Panther\\actionqueue\\winlogon.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\dllhost.exe\", \"C:\\Windows\\AppPatch\\it-IT\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\smss.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Users\\Admin\\Videos\\lsass.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Users\\Admin\\Videos\\lsass.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\", \"C:\\Windows\\Panther\\actionqueue\\winlogon.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\dllhost.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2712	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

winlogon.exec729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1444-1-0x0000000001100000-0x0000000001390000-memory.dmp	dcrat
C:\Windows\Panther\actionqueue\winlogon.exe	dcrat
behavioral1/memory/1052-70-0x0000000001180000-0x0000000001410000-memory.dmp	dcrat

Detects executables packed with SmartAssembly 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1444-7-0x0000000000620000-0x000000000062A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/1444-11-0x0000000000650000-0x000000000065C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/1444-18-0x0000000000D90000-0x0000000000D9A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/1444-14-0x0000000000C80000-0x0000000000C8A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2280 powershell.exe
1036 powershell.exe
1452 powershell.exe
540 powershell.exe
2136 powershell.exe
2084 powershell.exe
896 powershell.exe
2144 powershell.exe
2608 powershell.exe
2308 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

winlogon.exe

pid process

1052 winlogon.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2280	powershell.exe
1036	powershell.exe
1452	powershell.exe
540	powershell.exe
2136	powershell.exe
2084	powershell.exe
896	powershell.exe
2144	powershell.exe
2608	powershell.exe
2308	powershell.exe

pid	process
1052	winlogon.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\dllhost.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\smss.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\Videos\\lsass.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Panther\\actionqueue\\winlogon.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\dllhost.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Panther\\actionqueue\\winlogon.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\AppPatch\\it-IT\\csrss.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\spoolsv.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\spoolsv.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\smss.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\Videos\\lsass.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\AppPatch\\it-IT\\csrss.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in Program Files directory 2 IoCs

Processes:

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\spoolsv.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\f3b6ecef712a24	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

Drops file in Windows directory 5 IoCs

Processes:

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

description	ioc	process
File created	C:\Windows\schemas\TSWorkSpace\Idle.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Windows\Panther\actionqueue\winlogon.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Windows\Panther\actionqueue\cc11b995f2a76d	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Windows\AppPatch\it-IT\csrss.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Windows\AppPatch\it-IT\886983d96e3d3e	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1792	schtasks.exe
1516	schtasks.exe
2488	schtasks.exe
2684	schtasks.exe
1632	schtasks.exe
1868	schtasks.exe
2168	schtasks.exe
1812	schtasks.exe
1960	schtasks.exe
2644	schtasks.exe
2836	schtasks.exe
2080	schtasks.exe
2540	schtasks.exe
2420	schtasks.exe
1980	schtasks.exe
532	schtasks.exe
2556	schtasks.exe
2672	schtasks.exe
2516	schtasks.exe
288	schtasks.exe
1504	schtasks.exe
2816	schtasks.exe
2580	schtasks.exe
2668	schtasks.exe
2404	schtasks.exe
2212	schtasks.exe
2200	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinlogon.exe

pid	process
1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
540	powershell.exe
2608	powershell.exe
2136	powershell.exe
2084	powershell.exe
896	powershell.exe
1452	powershell.exe
2144	powershell.exe
2308	powershell.exe
1036	powershell.exe
2280	powershell.exe
1052	winlogon.exe
1052	winlogon.exe
1052	winlogon.exe
1052	winlogon.exe
1052	winlogon.exe
1052	winlogon.exe
1052	winlogon.exe
1052	winlogon.exe
1052	winlogon.exe
1052	winlogon.exe
1052	winlogon.exe
1052	winlogon.exe
1052	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

winlogon.exe

pid process

1052 winlogon.exe

pid	process
1052	winlogon.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1052	winlogon.exe
Token: SeBackupPrivilege	2508	vssvc.exe
Token: SeRestorePrivilege	2508	vssvc.exe
Token: SeAuditPrivilege	2508	vssvc.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exewinlogon.exe

description	pid	process	target process
PID 1444 wrote to memory of 1452	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 1452	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 1452	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2136	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2136	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2136	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 540	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 540	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 540	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2308	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2308	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2308	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2608	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2608	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2608	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2144	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2144	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2144	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 896	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 896	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 896	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 1036	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 1036	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 1036	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2084	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2084	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2084	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2280	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2280	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 2280	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 1444 wrote to memory of 1052	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	winlogon.exe
PID 1444 wrote to memory of 1052	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	winlogon.exe
PID 1444 wrote to memory of 1052	1444	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	winlogon.exe
PID 1052 wrote to memory of 1976	1052	winlogon.exe	WScript.exe
PID 1052 wrote to memory of 1976	1052	winlogon.exe	WScript.exe
PID 1052 wrote to memory of 1976	1052	winlogon.exe	WScript.exe
PID 1052 wrote to memory of 2948	1052	winlogon.exe	WScript.exe
PID 1052 wrote to memory of 2948	1052	winlogon.exe	WScript.exe
PID 1052 wrote to memory of 2948	1052	winlogon.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
"C:\Users\Admin\AppData\Local\Temp\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\lsass.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\actionqueue\winlogon.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dllhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\it-IT\csrss.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\spoolsv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\Panther\actionqueue\winlogon.exe
"C:\Windows\Panther\actionqueue\winlogon.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1052

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd4ef7b9-f5b3-4d8c-95dd-dc83a8a44b13.vbs"
3⤵
PID:1976

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fe9f2e4-b5b6-493d-aea6-a3d555fbf939.vbs"
3⤵
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Videos\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\actionqueue\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\actionqueue\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppPatch\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8fe9f2e4-b5b6-493d-aea6-a3d555fbf939.vbs
Filesize
495B

MD5
94f068d2b6d88bf9e8b72e12142a710c

SHA1
17e781e49a1c271e565677a4873f55b136fce92a

SHA256
5eabd8dae4858db6303f0c987b2e0068fb5bc00eb23d1d26236bed22a0d083b7

SHA512
bf00bbc83bc565df6357f93a42f1ae01c759efb473830fc5791304449f00b2f7350b6c9e5a1975f2cd739b0999b8331faa8acc95748e20da88bbfbc075067d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd4ef7b9-f5b3-4d8c-95dd-dc83a8a44b13.vbs
Filesize
719B

MD5
15727a3127745550670847a1531a8265

SHA1
7f012d147be2db1e8b77b17744155b9efcebd3a4

SHA256
84d32e89c4db039aac5c4c19fe496dbec24e40415562aee80ee5b5161706f00a

SHA512
7cf4a358ebeb6fe32a50bb646f1b57e1dbfb2c5aa917a48280e20184ba760a9e50d390b93d065b96b8a09b3b7d03df54a4a04c4446f06ec1a5b9395ba18681f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
795ed6806cd93e07505076af4cbecf77

SHA1
47f53fcb37e2952ebe6a12ba65b5bd38b17f0144

SHA256
54fb46ecd66873a843693a52438662a733e8556f8937e5131d3c59f3cab7a0dc

SHA512
e244380bf69d1922ac11cdd48abe93ab5d41d46bd3e248d79293e40aed5926d24fa7ad5ae4686ffc6b1f1c5c4e0af65da54f6c971775e2375a9ce69f5d2e186b

Download Submit
C:\Windows\Panther\actionqueue\winlogon.exe
Filesize
2.5MB

MD5
587e1d2473fea9284918bfbcf9897de2

SHA1
25dc1703e07cc5cc890238cc18d0199effab86be

SHA256
c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28

SHA512
1e7313c16f84e618b9d9cea644d95b34cdb339830c5354354f126b85e8772994302abe5d7a2554e62898fb36d38f03c90b012e4060b69f57ce35806e975522fc

Download Submit
memory/540-53-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/1052-70-0x0000000001180000-0x0000000001410000-memory.dmp

Filesize
2.6MB

Download
memory/1444-86-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/1444-3-0x0000000000430000-0x000000000043E000-memory.dmp

Filesize
56KB

Download
memory/1444-4-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/1444-11-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/1444-19-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

Filesize
48KB

Download
memory/1444-18-0x0000000000D90000-0x0000000000D9A000-memory.dmp

Filesize
40KB

Download
memory/1444-8-0x0000000000C20000-0x0000000000C76000-memory.dmp

Filesize
344KB

Download
memory/1444-6-0x0000000000600000-0x0000000000616000-memory.dmp

Filesize
88KB

Download
memory/1444-0-0x000007FEF59B3000-0x000007FEF59B4000-memory.dmp

Filesize
4KB

Download
memory/1444-7-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/1444-1-0x0000000001100000-0x0000000001390000-memory.dmp

Filesize
2.6MB

Download
memory/1444-5-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/1444-17-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/1444-16-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/1444-15-0x0000000000C90000-0x0000000000C9E000-memory.dmp

Filesize
56KB

Download
memory/1444-14-0x0000000000C80000-0x0000000000C8A000-memory.dmp

Filesize
40KB

Download
memory/1444-13-0x0000000000C70000-0x0000000000C78000-memory.dmp

Filesize
32KB

Download
memory/1444-12-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/1444-10-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/1444-9-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/1444-2-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-54-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download