Analysis
-
max time kernel
58s -
max time network
60s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 18:02
Static task
static1
Behavioral task
behavioral1
Sample
dashdV.exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
dashdV.exe
Resource
win10v20210410
General
-
Target
dashdV.exe
-
Size
17.1MB
-
MD5
765f570a565d578f2ace3ccb41cef038
-
SHA1
89b44e3aa8f3c93f80ae29f7a36a9486b080229d
-
SHA256
0d7c515d3483b45d5725717070e8497435c39b3450af59194b2a32a33c2867e8
-
SHA512
941862a1d09e70725f9826b05dc8a8c7442add91229f39ac7ea9d4e6b8d0f751d749ac6b6ac2202290122945e14bab06516680a7007598af7cca62ac1b465898
Malware Config
Signatures
-
Processes:
resource yara_rule C:\ProgramData\aye.exe Dark_crystal_rat C:\ProgramData\aye.exe Dark_crystal_rat -
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 9 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\luainstall\\SppExtComObj.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\luainstall\\SppExtComObj.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Windows\\System32\\SettingsHandlers_Devices\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\netDhcpDriverruntimeCommon.exe\", \"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\AppxManifest\\ShellExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\netDhcpDriverruntimeCommon.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\luainstall\\SppExtComObj.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Windows\\System32\\SettingsHandlers_Devices\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\netDhcpDriverruntimeCommon.exe\", \"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\AppxManifest\\ShellExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\netDhcpDriverruntimeCommon.exe\", \"C:\\Windows\\SystemResources\\Windows-NFC-SEManagement\\pris\\SearchUI.exe\", \"C:\\ProgramData\\SoftwareDistribution\\ShellExperienceHost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\luainstall\\SppExtComObj.exe\", \"C:\\Documents and Settings\\dllhost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\luainstall\\SppExtComObj.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Windows\\System32\\SettingsHandlers_Devices\\RuntimeBroker.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\luainstall\\SppExtComObj.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Windows\\System32\\SettingsHandlers_Devices\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\netDhcpDriverruntimeCommon.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\luainstall\\SppExtComObj.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Windows\\System32\\SettingsHandlers_Devices\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\netDhcpDriverruntimeCommon.exe\", \"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\AppxManifest\\ShellExperienceHost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\luainstall\\SppExtComObj.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Windows\\System32\\SettingsHandlers_Devices\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\netDhcpDriverruntimeCommon.exe\", \"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\AppxManifest\\ShellExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\netDhcpDriverruntimeCommon.exe\", \"C:\\Windows\\SystemResources\\Windows-NFC-SEManagement\\pris\\SearchUI.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\luainstall\\SppExtComObj.exe\"" netDhcpDriverruntimeCommon.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
ShellExperienceHost.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts ShellExperienceHost.exe -
Executes dropped EXE 3 IoCs
Processes:
aye.exenetDhcpDriverruntimeCommon.exeShellExperienceHost.exepid process 1144 aye.exe 2708 netDhcpDriverruntimeCommon.exe 3560 ShellExperienceHost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 18 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\luainstall\\SppExtComObj.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\SettingsHandlers_Devices\\RuntimeBroker.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netDhcpDriverruntimeCommon = "\"C:\\Documents and Settings\\netDhcpDriverruntimeCommon.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Windows\\SystemResources\\Windows-NFC-SEManagement\\pris\\SearchUI.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\luainstall\\SppExtComObj.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\SettingsHandlers_Devices\\RuntimeBroker.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\netDhcpDriverruntimeCommon = "\"C:\\Documents and Settings\\netDhcpDriverruntimeCommon.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\AppxManifest\\ShellExperienceHost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\netDhcpDriverruntimeCommon = "\"C:\\Users\\All Users\\Start Menu\\netDhcpDriverruntimeCommon.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\ProgramData\\SoftwareDistribution\\ShellExperienceHost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\AppxManifest\\ShellExperienceHost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Windows\\SystemResources\\Windows-NFC-SEManagement\\pris\\SearchUI.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netDhcpDriverruntimeCommon = "\"C:\\Users\\All Users\\Start Menu\\netDhcpDriverruntimeCommon.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\ProgramData\\SoftwareDistribution\\ShellExperienceHost.exe\"" netDhcpDriverruntimeCommon.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 30 ipinfo.io 27 ip-api.com 29 ipinfo.io -
Drops file in System32 directory 12 IoCs
Processes:
netDhcpDriverruntimeCommon.exeaye.exedescription ioc process File created C:\Windows\System32\luainstall\e1ef82546f0b02b7e974f28047f3788b1128cce1 netDhcpDriverruntimeCommon.exe File created C:\Windows\System32\SettingsHandlers_Devices\RuntimeBroker.exe netDhcpDriverruntimeCommon.exe File created C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe aye.exe File opened for modification C:\Windows\System32\luainstall\SppExtComObj.exe netDhcpDriverruntimeCommon.exe File opened for modification C:\Windows\SysWOW64\kk946QGUYfip6zCEWvxdUIQltPP.bat aye.exe File opened for modification C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe aye.exe File created C:\Windows\SysWOW64\D2RrWRv0Po.vbe aye.exe File opened for modification C:\Windows\SysWOW64\D2RrWRv0Po.vbe aye.exe File created C:\Windows\System32\luainstall\SppExtComObj.exe netDhcpDriverruntimeCommon.exe File created C:\Windows\System32\SettingsHandlers_Devices\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d netDhcpDriverruntimeCommon.exe File created C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259291062 aye.exe File created C:\Windows\SysWOW64\kk946QGUYfip6zCEWvxdUIQltPP.bat aye.exe -
Drops file in Program Files directory 2 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe netDhcpDriverruntimeCommon.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9 netDhcpDriverruntimeCommon.exe -
Drops file in Windows directory 4 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process File created C:\Windows\SystemResources\Windows-NFC-SEManagement\pris\SearchUI.exe netDhcpDriverruntimeCommon.exe File created C:\Windows\SystemResources\Windows-NFC-SEManagement\pris\dab4d89cac03ec27dbe47b361df763dc3f848f6c netDhcpDriverruntimeCommon.exe File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exe netDhcpDriverruntimeCommon.exe File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\f8c8f1285d826bc63910aaf97db97186ba642b4f netDhcpDriverruntimeCommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3292 schtasks.exe 3764 schtasks.exe 3176 schtasks.exe 3612 schtasks.exe 3312 schtasks.exe 2080 schtasks.exe 2200 schtasks.exe 2264 schtasks.exe 1492 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
aye.exenetDhcpDriverruntimeCommon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings aye.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings netDhcpDriverruntimeCommon.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
netDhcpDriverruntimeCommon.exeShellExperienceHost.exepid process 2708 netDhcpDriverruntimeCommon.exe 3560 ShellExperienceHost.exe 3560 ShellExperienceHost.exe 3560 ShellExperienceHost.exe 3560 ShellExperienceHost.exe 3560 ShellExperienceHost.exe 3560 ShellExperienceHost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
dashdV.exenetDhcpDriverruntimeCommon.exeShellExperienceHost.exedescription pid process Token: SeDebugPrivilege 1828 dashdV.exe Token: SeDebugPrivilege 2708 netDhcpDriverruntimeCommon.exe Token: SeDebugPrivilege 3560 ShellExperienceHost.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
dashdV.exeaye.exeWScript.execmd.exenetDhcpDriverruntimeCommon.execmd.exedescription pid process target process PID 1828 wrote to memory of 1144 1828 dashdV.exe aye.exe PID 1828 wrote to memory of 1144 1828 dashdV.exe aye.exe PID 1828 wrote to memory of 1144 1828 dashdV.exe aye.exe PID 1144 wrote to memory of 3292 1144 aye.exe WScript.exe PID 1144 wrote to memory of 3292 1144 aye.exe WScript.exe PID 1144 wrote to memory of 3292 1144 aye.exe WScript.exe PID 3292 wrote to memory of 3972 3292 WScript.exe cmd.exe PID 3292 wrote to memory of 3972 3292 WScript.exe cmd.exe PID 3292 wrote to memory of 3972 3292 WScript.exe cmd.exe PID 3972 wrote to memory of 2708 3972 cmd.exe netDhcpDriverruntimeCommon.exe PID 3972 wrote to memory of 2708 3972 cmd.exe netDhcpDriverruntimeCommon.exe PID 2708 wrote to memory of 3764 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 3764 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 3764 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 3176 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 3176 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 3176 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 3612 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 3612 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 3612 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 3312 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 3312 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 3312 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 2264 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 2264 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 2264 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 2080 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 2080 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 2080 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 2200 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 2200 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 2200 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 1492 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 1492 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 1492 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 3292 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 3292 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 3292 2708 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2708 wrote to memory of 204 2708 netDhcpDriverruntimeCommon.exe cmd.exe PID 2708 wrote to memory of 204 2708 netDhcpDriverruntimeCommon.exe cmd.exe PID 204 wrote to memory of 3516 204 cmd.exe chcp.com PID 204 wrote to memory of 3516 204 cmd.exe chcp.com PID 204 wrote to memory of 3300 204 cmd.exe PING.EXE PID 204 wrote to memory of 3300 204 cmd.exe PING.EXE PID 204 wrote to memory of 3560 204 cmd.exe ShellExperienceHost.exe PID 204 wrote to memory of 3560 204 cmd.exe ShellExperienceHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dashdV.exe"C:\Users\Admin\AppData\Local\Temp\dashdV.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\aye.exe"C:\ProgramData\aye.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\D2RrWRv0Po.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\System32\kk946QGUYfip6zCEWvxdUIQltPP.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe"C:\Windows\system32\netDhcpDriverruntimeCommon.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\luainstall\SppExtComObj.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\SettingsHandlers_Devices\RuntimeBroker.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "netDhcpDriverruntimeCommon" /sc ONLOGON /tr "'C:\Documents and Settings\netDhcpDriverruntimeCommon.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "netDhcpDriverruntimeCommon" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\netDhcpDriverruntimeCommon.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows-NFC-SEManagement\pris\SearchUI.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\ProgramData\SoftwareDistribution\ShellExperienceHost.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Public\QAE1MLiqRm.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
C:\Windows\system32\PING.EXEping -n 5 localhost7⤵
- Runs ping.exe
-
C:\ProgramData\SoftwareDistribution\ShellExperienceHost.exe"C:\ProgramData\SoftwareDistribution\ShellExperienceHost.exe"7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\SoftwareDistribution\ShellExperienceHost.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\ProgramData\SoftwareDistribution\ShellExperienceHost.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\ProgramData\aye.exeMD5
fed9979b059967674138a00a535310e9
SHA1de3001de07bb5f6a19649540512b9d29acb8a7d9
SHA2564a0eda4125af78fee87b855f00379513adaeebf66eedd34ba61af90874eed366
SHA512e1445d4f149594901ee86542856f856a8874ea2caf2076a729d2fea3fe57cdf934d9912882dccb8d4e295035fc836d1d9cf81418973affd2da4d3bc40778345d
-
C:\ProgramData\aye.exeMD5
fed9979b059967674138a00a535310e9
SHA1de3001de07bb5f6a19649540512b9d29acb8a7d9
SHA2564a0eda4125af78fee87b855f00379513adaeebf66eedd34ba61af90874eed366
SHA512e1445d4f149594901ee86542856f856a8874ea2caf2076a729d2fea3fe57cdf934d9912882dccb8d4e295035fc836d1d9cf81418973affd2da4d3bc40778345d
-
C:\Users\Public\QAE1MLiqRm.batMD5
86be04671ced919a7dae4ec6db1d0bc6
SHA15d73b0a3efb83c96e6e46fae850c31ced0909b95
SHA2569075ee9a1bbf93f5113a0dce66eab5005bf30d6aeb004471bf6719ff74beeaae
SHA512910e1e2380c046275667f0ebbc40f751fbf903adfc50d85e34de4ca3ca3f690fb62b1a8c0af48cd6b47450bd7d266e3e35432197292d4b4e74c09d7ce8e382d3
-
C:\Windows\SysWOW64\D2RrWRv0Po.vbeMD5
b57cdbe6bff09c4719cfeeeb11736d47
SHA1040ace85289b8b111e3e44e979a73277bd8284b6
SHA2560d76dd655a3bf305df6382093705ca9a0ec946651fd593c14ce81b0b286c6a5b
SHA51255fc21fcd6c0572c595271fc2a15d7b9eeab6dfd0ad055a498acfeba05a09e0ebc32fe674f985c101c62f6419c2404f314acc8ec5a8744b67971daaaca2b4451
-
C:\Windows\SysWOW64\kk946QGUYfip6zCEWvxdUIQltPP.batMD5
b95e24d87d79c2b36fc0f8ef4434cfb7
SHA10e2a2c904e15f7f2e68a89f238d262b1d0b0f2e5
SHA2568fef5c403a59ab01e615e97319fe70c8a3e0234272334cb2d63ffd9f784ee726
SHA512e4cb26aed7aaf65cce7b4ed72c1f2edcf30bd46868d302836b55e976a3762cf6e30f5bf539b1b9b44f300e400fca68f79b6893ab936b8f49921823927c41f46b
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
memory/204-146-0x0000000000000000-mapping.dmp
-
memory/1144-121-0x0000000000000000-mapping.dmp
-
memory/1492-144-0x0000000000000000-mapping.dmp
-
memory/1828-120-0x0000000004C90000-0x000000000518E000-memory.dmpFilesize
5.0MB
-
memory/1828-119-0x0000000004C90000-0x000000000518E000-memory.dmpFilesize
5.0MB
-
memory/1828-118-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB
-
memory/1828-128-0x0000000004C90000-0x000000000518E000-memory.dmpFilesize
5.0MB
-
memory/1828-114-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/1828-117-0x0000000004D70000-0x0000000004D71000-memory.dmpFilesize
4KB
-
memory/1828-116-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/2080-142-0x0000000000000000-mapping.dmp
-
memory/2200-143-0x0000000000000000-mapping.dmp
-
memory/2264-141-0x0000000000000000-mapping.dmp
-
memory/2708-136-0x00000187A8F20000-0x00000187A8F22000-memory.dmpFilesize
8KB
-
memory/2708-131-0x0000000000000000-mapping.dmp
-
memory/2708-134-0x000001878E710000-0x000001878E711000-memory.dmpFilesize
4KB
-
memory/3176-138-0x0000000000000000-mapping.dmp
-
memory/3292-126-0x0000000000000000-mapping.dmp
-
memory/3292-145-0x0000000000000000-mapping.dmp
-
memory/3300-149-0x0000000000000000-mapping.dmp
-
memory/3312-140-0x0000000000000000-mapping.dmp
-
memory/3516-148-0x0000000000000000-mapping.dmp
-
memory/3560-163-0x00000205F2AB4000-0x00000205F2AB6000-memory.dmpFilesize
8KB
-
memory/3560-159-0x00000205F2920000-0x00000205F2922000-memory.dmpFilesize
8KB
-
memory/3560-150-0x0000000000000000-mapping.dmp
-
memory/3560-167-0x00000205F2AB8000-0x00000205F2ABA000-memory.dmpFilesize
8KB
-
memory/3560-155-0x00000205F2AB0000-0x00000205F2AB2000-memory.dmpFilesize
8KB
-
memory/3560-156-0x00000205F2220000-0x00000205F2226000-memory.dmpFilesize
24KB
-
memory/3560-157-0x00000205F2960000-0x00000205F2961000-memory.dmpFilesize
4KB
-
memory/3560-158-0x00000205F29D0000-0x00000205F29D7000-memory.dmpFilesize
28KB
-
memory/3560-160-0x00000205F2930000-0x00000205F2932000-memory.dmpFilesize
8KB
-
memory/3560-166-0x00000205F2AB6000-0x00000205F2AB8000-memory.dmpFilesize
8KB
-
memory/3560-162-0x00000205F2AB2000-0x00000205F2AB4000-memory.dmpFilesize
8KB
-
memory/3560-165-0x00000205F2980000-0x00000205F2981000-memory.dmpFilesize
4KB
-
memory/3560-161-0x00000205F2940000-0x00000205F2942000-memory.dmpFilesize
8KB
-
memory/3560-164-0x00000205F2950000-0x00000205F2952000-memory.dmpFilesize
8KB
-
memory/3612-139-0x0000000000000000-mapping.dmp
-
memory/3764-137-0x0000000000000000-mapping.dmp
-
memory/3972-130-0x0000000000000000-mapping.dmp