Analysis
-
max time kernel
327s -
max time network
387s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 18:06
Static task
static1
Behavioral task
behavioral1
Sample
dashdV.exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
dashdV.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
dashdV.exe
Resource
win10v20210410
Behavioral task
behavioral4
Sample
dashdV.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
dashdV.exe
Resource
win7v20210410
General
-
Target
dashdV.exe
-
Size
17.1MB
-
MD5
765f570a565d578f2ace3ccb41cef038
-
SHA1
89b44e3aa8f3c93f80ae29f7a36a9486b080229d
-
SHA256
0d7c515d3483b45d5725717070e8497435c39b3450af59194b2a32a33c2867e8
-
SHA512
941862a1d09e70725f9826b05dc8a8c7442add91229f39ac7ea9d4e6b8d0f751d749ac6b6ac2202290122945e14bab06516680a7007598af7cca62ac1b465898
Malware Config
Signatures
-
Processes:
resource yara_rule C:\ProgramData\aye.exe Dark_crystal_rat C:\ProgramData\aye.exe Dark_crystal_rat -
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Boot\\sr-Latn-RS\\conhost.exe\", \"C:\\ProgramData\\Mozilla\\WmiPrvSE.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RINTL.pt-br\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\wbem\\WUAProvider\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RJMQBVDN-20210410-0716a\\dashdV.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Boot\\sr-Latn-RS\\conhost.exe\", \"C:\\ProgramData\\Mozilla\\WmiPrvSE.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RINTL.pt-br\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\wbem\\WUAProvider\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RJMQBVDN-20210410-0716a\\dashdV.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\RuntimeBroker.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Boot\\sr-Latn-RS\\conhost.exe\", \"C:\\ProgramData\\Mozilla\\WmiPrvSE.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RINTL.pt-br\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\wbem\\WUAProvider\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RJMQBVDN-20210410-0716a\\dashdV.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\write\\explorer.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Boot\\sr-Latn-RS\\conhost.exe\", \"C:\\ProgramData\\Mozilla\\WmiPrvSE.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RINTL.pt-br\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\wbem\\WUAProvider\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RJMQBVDN-20210410-0716a\\dashdV.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\write\\explorer.exe\", \"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\AppxSignature\\ShellExperienceHost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Boot\\sr-Latn-RS\\conhost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Boot\\sr-Latn-RS\\conhost.exe\", \"C:\\ProgramData\\Mozilla\\WmiPrvSE.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Boot\\sr-Latn-RS\\conhost.exe\", \"C:\\ProgramData\\Mozilla\\WmiPrvSE.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RINTL.pt-br\\OfficeClickToRun.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Boot\\sr-Latn-RS\\conhost.exe\", \"C:\\ProgramData\\Mozilla\\WmiPrvSE.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RINTL.pt-br\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\wbem\\WUAProvider\\WmiPrvSE.exe\"" netDhcpDriverruntimeCommon.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
ShellExperienceHost.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts ShellExperienceHost.exe -
Executes dropped EXE 3 IoCs
Processes:
aye.exenetDhcpDriverruntimeCommon.exeShellExperienceHost.exepid process 3176 aye.exe 3860 netDhcpDriverruntimeCommon.exe 3864 ShellExperienceHost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 16 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\dashdV = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RJMQBVDN-20210410-0716a\\dashdV.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\AppxSignature\\ShellExperienceHost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\ProgramData\\Mozilla\\WmiPrvSE.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\WUAProvider\\WmiPrvSE.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dashdV = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RJMQBVDN-20210410-0716a\\dashdV.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\AppxSignature\\ShellExperienceHost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Boot\\sr-Latn-RS\\conhost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Boot\\sr-Latn-RS\\conhost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\WUAProvider\\WmiPrvSE.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Mail\\en-US\\RuntimeBroker.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\write\\explorer.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\ProgramData\\Mozilla\\WmiPrvSE.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RINTL.pt-br\\OfficeClickToRun.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RINTL.pt-br\\OfficeClickToRun.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Mail\\en-US\\RuntimeBroker.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\write\\explorer.exe\"" netDhcpDriverruntimeCommon.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 ipinfo.io 36 ipinfo.io 33 ip-api.com -
Drops file in System32 directory 9 IoCs
Processes:
aye.exenetDhcpDriverruntimeCommon.exedescription ioc process File created C:\Windows\SysWOW64\kk946QGUYfip6zCEWvxdUIQltPP.bat aye.exe File opened for modification C:\Windows\SysWOW64\kk946QGUYfip6zCEWvxdUIQltPP.bat aye.exe File created C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe aye.exe File created C:\Windows\SysWOW64\D2RrWRv0Po.vbe aye.exe File opened for modification C:\Windows\SysWOW64\D2RrWRv0Po.vbe aye.exe File created C:\Windows\System32\wbem\WUAProvider\WmiPrvSE.exe netDhcpDriverruntimeCommon.exe File created C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259293484 aye.exe File opened for modification C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe aye.exe File created C:\Windows\System32\wbem\WUAProvider\24dbde2999530ef5fd907494bc374d663924116c netDhcpDriverruntimeCommon.exe -
Drops file in Program Files directory 4 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br\OfficeClickToRun.exe netDhcpDriverruntimeCommon.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br\e6c9b481da804f07baff8eff543b0a1441069b5d netDhcpDriverruntimeCommon.exe File created C:\Program Files (x86)\Windows Mail\en-US\RuntimeBroker.exe netDhcpDriverruntimeCommon.exe File created C:\Program Files (x86)\Windows Mail\en-US\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d netDhcpDriverruntimeCommon.exe -
Drops file in Windows directory 5 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process File created C:\Windows\write\explorer.exe netDhcpDriverruntimeCommon.exe File created C:\Windows\write\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 netDhcpDriverruntimeCommon.exe File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxSignature\ShellExperienceHost.exe netDhcpDriverruntimeCommon.exe File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxSignature\f8c8f1285d826bc63910aaf97db97186ba642b4f netDhcpDriverruntimeCommon.exe File created C:\Windows\OCR\en-us\WmiPrvSE.exe netDhcpDriverruntimeCommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2464 schtasks.exe 2120 schtasks.exe 3352 schtasks.exe 676 schtasks.exe 2320 schtasks.exe 2204 schtasks.exe 196 schtasks.exe 2644 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
aye.exenetDhcpDriverruntimeCommon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings aye.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings netDhcpDriverruntimeCommon.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
netDhcpDriverruntimeCommon.exeShellExperienceHost.exepid process 3860 netDhcpDriverruntimeCommon.exe 3860 netDhcpDriverruntimeCommon.exe 3860 netDhcpDriverruntimeCommon.exe 3864 ShellExperienceHost.exe 3864 ShellExperienceHost.exe 3864 ShellExperienceHost.exe 3864 ShellExperienceHost.exe 3864 ShellExperienceHost.exe 3864 ShellExperienceHost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
dashdV.exenetDhcpDriverruntimeCommon.exeShellExperienceHost.exedescription pid process Token: SeDebugPrivilege 3904 dashdV.exe Token: SeDebugPrivilege 3860 netDhcpDriverruntimeCommon.exe Token: SeDebugPrivilege 3864 ShellExperienceHost.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
dashdV.exeaye.exeWScript.execmd.exenetDhcpDriverruntimeCommon.execmd.exedescription pid process target process PID 3904 wrote to memory of 3176 3904 dashdV.exe aye.exe PID 3904 wrote to memory of 3176 3904 dashdV.exe aye.exe PID 3904 wrote to memory of 3176 3904 dashdV.exe aye.exe PID 3176 wrote to memory of 1352 3176 aye.exe WScript.exe PID 3176 wrote to memory of 1352 3176 aye.exe WScript.exe PID 3176 wrote to memory of 1352 3176 aye.exe WScript.exe PID 1352 wrote to memory of 1004 1352 WScript.exe cmd.exe PID 1352 wrote to memory of 1004 1352 WScript.exe cmd.exe PID 1352 wrote to memory of 1004 1352 WScript.exe cmd.exe PID 1004 wrote to memory of 3860 1004 cmd.exe netDhcpDriverruntimeCommon.exe PID 1004 wrote to memory of 3860 1004 cmd.exe netDhcpDriverruntimeCommon.exe PID 3860 wrote to memory of 196 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 196 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 196 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 2644 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 2644 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 2644 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 2464 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 2464 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 2464 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 2120 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 2120 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 2120 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 3352 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 3352 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 3352 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 676 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 676 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 676 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 2320 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 2320 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 2320 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 2204 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 2204 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 2204 3860 netDhcpDriverruntimeCommon.exe schtasks.exe PID 3860 wrote to memory of 1224 3860 netDhcpDriverruntimeCommon.exe cmd.exe PID 3860 wrote to memory of 1224 3860 netDhcpDriverruntimeCommon.exe cmd.exe PID 1224 wrote to memory of 1220 1224 cmd.exe chcp.com PID 1224 wrote to memory of 1220 1224 cmd.exe chcp.com PID 1224 wrote to memory of 4068 1224 cmd.exe PING.EXE PID 1224 wrote to memory of 4068 1224 cmd.exe PING.EXE PID 1224 wrote to memory of 3864 1224 cmd.exe ShellExperienceHost.exe PID 1224 wrote to memory of 3864 1224 cmd.exe ShellExperienceHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dashdV.exe"C:\Users\Admin\AppData\Local\Temp\dashdV.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\aye.exe"C:\ProgramData\aye.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\D2RrWRv0Po.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\System32\kk946QGUYfip6zCEWvxdUIQltPP.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe"C:\Windows\system32\netDhcpDriverruntimeCommon.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Boot\sr-Latn-RS\conhost.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\ProgramData\Mozilla\WmiPrvSE.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br\OfficeClickToRun.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WUAProvider\WmiPrvSE.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "dashdV" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\RJMQBVDN-20210410-0716a\dashdV.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\RuntimeBroker.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\write\explorer.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxSignature\ShellExperienceHost.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Public\P71yNHVwFf.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
C:\Windows\system32\PING.EXEping -n 5 localhost7⤵
- Runs ping.exe
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxSignature\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxSignature\ShellExperienceHost.exe"7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\aye.exeMD5
fed9979b059967674138a00a535310e9
SHA1de3001de07bb5f6a19649540512b9d29acb8a7d9
SHA2564a0eda4125af78fee87b855f00379513adaeebf66eedd34ba61af90874eed366
SHA512e1445d4f149594901ee86542856f856a8874ea2caf2076a729d2fea3fe57cdf934d9912882dccb8d4e295035fc836d1d9cf81418973affd2da4d3bc40778345d
-
C:\ProgramData\aye.exeMD5
fed9979b059967674138a00a535310e9
SHA1de3001de07bb5f6a19649540512b9d29acb8a7d9
SHA2564a0eda4125af78fee87b855f00379513adaeebf66eedd34ba61af90874eed366
SHA512e1445d4f149594901ee86542856f856a8874ea2caf2076a729d2fea3fe57cdf934d9912882dccb8d4e295035fc836d1d9cf81418973affd2da4d3bc40778345d
-
C:\Users\Public\P71yNHVwFf.batMD5
65b1026e98bc50a27cd9d67d72fd4280
SHA186f827651dd575ba860ec4925c35559bc38c83b0
SHA2563c92452e38a5e471de0964cc417737f7d38ad9383dd1a69e3dc40f7f0b16ea20
SHA512dc1ac8ac6f91e14b2cb3efc645abef4540c3f9e8a62210ef49cc64eac3ff85b3dd45c6b67ce00dcac854016e042b321d8ca7c49f60828e527cab2c99c97d8198
-
C:\Windows\SysWOW64\D2RrWRv0Po.vbeMD5
b57cdbe6bff09c4719cfeeeb11736d47
SHA1040ace85289b8b111e3e44e979a73277bd8284b6
SHA2560d76dd655a3bf305df6382093705ca9a0ec946651fd593c14ce81b0b286c6a5b
SHA51255fc21fcd6c0572c595271fc2a15d7b9eeab6dfd0ad055a498acfeba05a09e0ebc32fe674f985c101c62f6419c2404f314acc8ec5a8744b67971daaaca2b4451
-
C:\Windows\SysWOW64\kk946QGUYfip6zCEWvxdUIQltPP.batMD5
b95e24d87d79c2b36fc0f8ef4434cfb7
SHA10e2a2c904e15f7f2e68a89f238d262b1d0b0f2e5
SHA2568fef5c403a59ab01e615e97319fe70c8a3e0234272334cb2d63ffd9f784ee726
SHA512e4cb26aed7aaf65cce7b4ed72c1f2edcf30bd46868d302836b55e976a3762cf6e30f5bf539b1b9b44f300e400fca68f79b6893ab936b8f49921823927c41f46b
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxSignature\ShellExperienceHost.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxSignature\ShellExperienceHost.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
memory/196-137-0x0000000000000000-mapping.dmp
-
memory/676-142-0x0000000000000000-mapping.dmp
-
memory/1004-130-0x0000000000000000-mapping.dmp
-
memory/1220-147-0x0000000000000000-mapping.dmp
-
memory/1224-145-0x0000000000000000-mapping.dmp
-
memory/1352-126-0x0000000000000000-mapping.dmp
-
memory/2120-140-0x0000000000000000-mapping.dmp
-
memory/2204-144-0x0000000000000000-mapping.dmp
-
memory/2320-143-0x0000000000000000-mapping.dmp
-
memory/2464-139-0x0000000000000000-mapping.dmp
-
memory/2644-138-0x0000000000000000-mapping.dmp
-
memory/3176-121-0x0000000000000000-mapping.dmp
-
memory/3352-141-0x0000000000000000-mapping.dmp
-
memory/3860-134-0x0000028B4F350000-0x0000028B4F351000-memory.dmpFilesize
4KB
-
memory/3860-136-0x0000028B69AC0000-0x0000028B69AC2000-memory.dmpFilesize
8KB
-
memory/3860-131-0x0000000000000000-mapping.dmp
-
memory/3864-157-0x000001F6AEC00000-0x000001F6AEC07000-memory.dmpFilesize
28KB
-
memory/3864-156-0x000001F6AEBF0000-0x000001F6AEBF6000-memory.dmpFilesize
24KB
-
memory/3864-166-0x000001F6963D7000-0x000001F6963D9000-memory.dmpFilesize
8KB
-
memory/3864-165-0x000001F6AEDF0000-0x000001F6AEDF1000-memory.dmpFilesize
4KB
-
memory/3864-164-0x000001F6963D5000-0x000001F6963D7000-memory.dmpFilesize
8KB
-
memory/3864-163-0x000001F6AEDE0000-0x000001F6AEDE2000-memory.dmpFilesize
8KB
-
memory/3864-149-0x0000000000000000-mapping.dmp
-
memory/3864-161-0x000001F6963D2000-0x000001F6963D4000-memory.dmpFilesize
8KB
-
memory/3864-162-0x000001F6963D4000-0x000001F6963D5000-memory.dmpFilesize
4KB
-
memory/3864-154-0x000001F6963D0000-0x000001F6963D2000-memory.dmpFilesize
8KB
-
memory/3864-155-0x000001F6AEC10000-0x000001F6AEC11000-memory.dmpFilesize
4KB
-
memory/3864-160-0x000001F6AEDD0000-0x000001F6AEDD2000-memory.dmpFilesize
8KB
-
memory/3864-159-0x000001F6AEDC0000-0x000001F6AEDC2000-memory.dmpFilesize
8KB
-
memory/3864-158-0x000001F6AED70000-0x000001F6AED72000-memory.dmpFilesize
8KB
-
memory/3904-128-0x0000000005720000-0x0000000005C1E000-memory.dmpFilesize
5.0MB
-
memory/3904-114-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/3904-116-0x0000000005C20000-0x0000000005C21000-memory.dmpFilesize
4KB
-
memory/3904-117-0x0000000005800000-0x0000000005801000-memory.dmpFilesize
4KB
-
memory/3904-118-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB
-
memory/3904-119-0x0000000005720000-0x0000000005C1E000-memory.dmpFilesize
5.0MB
-
memory/3904-120-0x0000000005720000-0x0000000005C1E000-memory.dmpFilesize
5.0MB
-
memory/4068-148-0x0000000000000000-mapping.dmp