Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows11_x64 -
resource
win11 -
submitted
25-10-2021 22:54
Static task
static1
Behavioral task
behavioral1
Sample
driver.sys.exe
Resource
win11
Behavioral task
behavioral2
Sample
driver.sys.exe
Resource
win10-en-20211014
Behavioral task
behavioral3
Sample
SplitBot.exe
Resource
win11
Behavioral task
behavioral4
Sample
SplitBot.exe
Resource
win10-en-20211014
General
-
Target
SplitBot.exe
-
Size
4.3MB
-
MD5
4e2835daca8a52e01540a596b5b57763
-
SHA1
bf9c98fb338e332081a6324d882f4769956b3cd8
-
SHA256
7c3c10637adb941c20d60062422812830a040172ad939c5d8ad24f6a18f6b34d
-
SHA512
633bd6eb1c117c772de389be8cc86766c56577375bdf8d954a3b8a878e354cc9328b02e414bcc1443694547bae91b3003ea8b0c8274c74e6ec0b683584933c16
Malware Config
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 4840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4320 4840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 4840 schtasks.exe -
suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
-
Executes dropped EXE 2 IoCs
Processes:
reviewrefsessionmonitorreviewruntimeDhcp.exewinlogon.exepid process 756 reviewrefsessionmonitorreviewruntimeDhcp.exe 3436 winlogon.exe -
Sets service image path in registry 2 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reviewrefsessionmonitorreviewruntimeDhcp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\csrsrv\\SppExtComObj.exe\"" reviewrefsessionmonitorreviewruntimeDhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" reviewrefsessionmonitorreviewruntimeDhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Documents and Settings\\SppExtComObj.exe\"" reviewrefsessionmonitorreviewruntimeDhcp.exe -
Drops file in System32 directory 2 IoCs
Processes:
reviewrefsessionmonitorreviewruntimeDhcp.exedescription ioc process File created C:\Windows\System32\csrsrv\SppExtComObj.exe reviewrefsessionmonitorreviewruntimeDhcp.exe File created C:\Windows\System32\csrsrv\e1ef82546f0b02b7e974f28047f3788b1128cce1 reviewrefsessionmonitorreviewruntimeDhcp.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
SplitBot.exepid process 2832 SplitBot.exe 2832 SplitBot.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 3048 schtasks.exe 4320 schtasks.exe 1584 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
WaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe -
Modifies registry class 1 IoCs
Processes:
reviewrefsessionmonitorreviewruntimeDhcp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings reviewrefsessionmonitorreviewruntimeDhcp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
reviewrefsessionmonitorreviewruntimeDhcp.exewinlogon.exepid process 756 reviewrefsessionmonitorreviewruntimeDhcp.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe 3436 winlogon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winlogon.exepid process 3436 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exereviewrefsessionmonitorreviewruntimeDhcp.exesvchost.exewinlogon.exeTiWorker.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1344 svchost.exe Token: SeCreatePagefilePrivilege 1344 svchost.exe Token: SeShutdownPrivilege 1344 svchost.exe Token: SeCreatePagefilePrivilege 1344 svchost.exe Token: SeShutdownPrivilege 1344 svchost.exe Token: SeCreatePagefilePrivilege 1344 svchost.exe Token: SeDebugPrivilege 756 reviewrefsessionmonitorreviewruntimeDhcp.exe Token: SeShutdownPrivilege 1272 svchost.exe Token: SeCreatePagefilePrivilege 1272 svchost.exe Token: SeDebugPrivilege 3436 winlogon.exe Token: SeSecurityPrivilege 2860 TiWorker.exe Token: SeRestorePrivilege 2860 TiWorker.exe Token: SeBackupPrivilege 2860 TiWorker.exe Token: SeBackupPrivilege 3584 vssvc.exe Token: SeRestorePrivilege 3584 vssvc.exe Token: SeAuditPrivilege 3584 vssvc.exe Token: SeBackupPrivilege 2860 TiWorker.exe Token: SeRestorePrivilege 2860 TiWorker.exe Token: SeSecurityPrivilege 2860 TiWorker.exe Token: SeBackupPrivilege 2860 TiWorker.exe Token: SeRestorePrivilege 2860 TiWorker.exe Token: SeSecurityPrivilege 2860 TiWorker.exe Token: SeBackupPrivilege 2860 TiWorker.exe Token: SeRestorePrivilege 2860 TiWorker.exe Token: SeSecurityPrivilege 2860 TiWorker.exe Token: SeBackupPrivilege 2860 TiWorker.exe Token: SeRestorePrivilege 2860 TiWorker.exe Token: SeSecurityPrivilege 2860 TiWorker.exe Token: SeBackupPrivilege 2860 TiWorker.exe Token: SeRestorePrivilege 2860 TiWorker.exe Token: SeSecurityPrivilege 2860 TiWorker.exe Token: SeBackupPrivilege 2860 TiWorker.exe Token: SeRestorePrivilege 2860 TiWorker.exe Token: SeSecurityPrivilege 2860 TiWorker.exe Token: SeBackupPrivilege 2860 TiWorker.exe Token: SeRestorePrivilege 2860 TiWorker.exe Token: SeSecurityPrivilege 2860 TiWorker.exe Token: SeBackupPrivilege 2860 TiWorker.exe Token: SeRestorePrivilege 2860 TiWorker.exe Token: SeSecurityPrivilege 2860 TiWorker.exe Token: SeBackupPrivilege 2860 TiWorker.exe Token: SeRestorePrivilege 2860 TiWorker.exe Token: SeSecurityPrivilege 2860 TiWorker.exe Token: SeBackupPrivilege 2860 TiWorker.exe Token: SeRestorePrivilege 2860 TiWorker.exe Token: SeSecurityPrivilege 2860 TiWorker.exe Token: SeBackupPrivilege 2860 TiWorker.exe Token: SeRestorePrivilege 2860 TiWorker.exe Token: SeSecurityPrivilege 2860 TiWorker.exe Token: SeBackupPrivilege 2860 TiWorker.exe Token: SeRestorePrivilege 2860 TiWorker.exe Token: SeSecurityPrivilege 2860 TiWorker.exe Token: SeBackupPrivilege 2860 TiWorker.exe Token: SeRestorePrivilege 2860 TiWorker.exe Token: SeSecurityPrivilege 2860 TiWorker.exe Token: SeBackupPrivilege 2860 TiWorker.exe Token: SeRestorePrivilege 2860 TiWorker.exe Token: SeSecurityPrivilege 2860 TiWorker.exe Token: SeBackupPrivilege 2860 TiWorker.exe Token: SeRestorePrivilege 2860 TiWorker.exe Token: SeSecurityPrivilege 2860 TiWorker.exe Token: SeBackupPrivilege 2860 TiWorker.exe Token: SeRestorePrivilege 2860 TiWorker.exe Token: SeSecurityPrivilege 2860 TiWorker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SplitBot.exepid process 2832 SplitBot.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SplitBot.exesvchost.exereviewrefsessionmonitorreviewruntimeDhcp.execmd.exedescription pid process target process PID 2832 wrote to memory of 756 2832 SplitBot.exe reviewrefsessionmonitorreviewruntimeDhcp.exe PID 2832 wrote to memory of 756 2832 SplitBot.exe reviewrefsessionmonitorreviewruntimeDhcp.exe PID 1272 wrote to memory of 2268 1272 svchost.exe MoUsoCoreWorker.exe PID 1272 wrote to memory of 2268 1272 svchost.exe MoUsoCoreWorker.exe PID 756 wrote to memory of 2100 756 reviewrefsessionmonitorreviewruntimeDhcp.exe cmd.exe PID 756 wrote to memory of 2100 756 reviewrefsessionmonitorreviewruntimeDhcp.exe cmd.exe PID 2100 wrote to memory of 2024 2100 cmd.exe chcp.com PID 2100 wrote to memory of 2024 2100 cmd.exe chcp.com PID 2100 wrote to memory of 4788 2100 cmd.exe w32tm.exe PID 2100 wrote to memory of 4788 2100 cmd.exe w32tm.exe PID 2100 wrote to memory of 3436 2100 cmd.exe winlogon.exe PID 2100 wrote to memory of 3436 2100 cmd.exe winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SplitBot.exe"C:\Users\Admin\AppData\Local\Temp\SplitBot.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\reviewrefsessionmonitorreviewruntimeDhcp.exe"C:\Users\Admin\AppData\Local\Temp\reviewrefsessionmonitorreviewruntimeDhcp.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a6ap96WVlc.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
C:\Users\Default User\winlogon.exe"C:\Users\Default User\winlogon.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 8a46f8d45264061e5266ce24d7cf5df1 aF0MGEmogECDG5fKrOX3hA.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Documents and Settings\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\csrsrv\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 8a46f8d45264061e5266ce24d7cf5df1 aF0MGEmogECDG5fKrOX3hA.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 8a46f8d45264061e5266ce24d7cf5df1 aF0MGEmogECDG5fKrOX3hA.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a6ap96WVlc.batMD5
3f29426e07373c2bdf41dcf5ce4deca5
SHA17ad6616e65e8040257e35d2cc6e1be3a3de0cc66
SHA25601c4d7fd0e84f8e6b194c7c031f6d8c70750d8b4443186bc4c888eae93191d81
SHA512a770eb253cca947152fbe1ad37b272795f605af7f471337a1f3c08b955b33552c3b96b9eb0249e033fa3fbac29f1bec1b5ec48a6f524456f8f133cbe3034ba83
-
C:\Users\Admin\AppData\Local\Temp\reviewrefsessionmonitorreviewruntimeDhcp.exeMD5
a15410a6d2cc6b4484c870f4332658f2
SHA184b03444e3f5dcd6df96ac5ccf8dcbb712bd5525
SHA256b60805e0e0dab7bc799ecc98d9280ef029fb787ffc2f754edc9640fd49187845
SHA512824cb01c90daea7e31a9e704632cb77dccdbade2bcdf293620cf6a88d313ca504911989399507de3d93d198fce07512959d45c8998af47c5a3286f77699a6838
-
C:\Users\Admin\AppData\Local\Temp\reviewrefsessionmonitorreviewruntimeDhcp.exeMD5
a15410a6d2cc6b4484c870f4332658f2
SHA184b03444e3f5dcd6df96ac5ccf8dcbb712bd5525
SHA256b60805e0e0dab7bc799ecc98d9280ef029fb787ffc2f754edc9640fd49187845
SHA512824cb01c90daea7e31a9e704632cb77dccdbade2bcdf293620cf6a88d313ca504911989399507de3d93d198fce07512959d45c8998af47c5a3286f77699a6838
-
C:\Users\Default User\winlogon.exeMD5
a15410a6d2cc6b4484c870f4332658f2
SHA184b03444e3f5dcd6df96ac5ccf8dcbb712bd5525
SHA256b60805e0e0dab7bc799ecc98d9280ef029fb787ffc2f754edc9640fd49187845
SHA512824cb01c90daea7e31a9e704632cb77dccdbade2bcdf293620cf6a88d313ca504911989399507de3d93d198fce07512959d45c8998af47c5a3286f77699a6838
-
C:\Users\Default\winlogon.exeMD5
a15410a6d2cc6b4484c870f4332658f2
SHA184b03444e3f5dcd6df96ac5ccf8dcbb712bd5525
SHA256b60805e0e0dab7bc799ecc98d9280ef029fb787ffc2f754edc9640fd49187845
SHA512824cb01c90daea7e31a9e704632cb77dccdbade2bcdf293620cf6a88d313ca504911989399507de3d93d198fce07512959d45c8998af47c5a3286f77699a6838
-
memory/756-147-0x0000000000000000-mapping.dmp
-
memory/756-150-0x0000000000E10000-0x0000000000E11000-memory.dmpFilesize
4KB
-
memory/756-155-0x0000000001810000-0x0000000001812000-memory.dmpFilesize
8KB
-
memory/1344-152-0x00000249DDF20000-0x00000249DDF30000-memory.dmpFilesize
64KB
-
memory/1344-153-0x00000249DDFA0000-0x00000249DDFB0000-memory.dmpFilesize
64KB
-
memory/1344-154-0x00000249E06B0000-0x00000249E06B4000-memory.dmpFilesize
16KB
-
memory/2024-159-0x0000000000000000-mapping.dmp
-
memory/2100-157-0x0000000000000000-mapping.dmp
-
memory/2268-156-0x0000000000000000-mapping.dmp
-
memory/2832-146-0x0000000000400000-0x0000000000B12000-memory.dmpFilesize
7.1MB
-
memory/3436-161-0x0000000000000000-mapping.dmp
-
memory/3436-166-0x000000001AFF0000-0x000000001AFF7000-memory.dmpFilesize
28KB
-
memory/3436-167-0x000000001C700000-0x000000001C708000-memory.dmpFilesize
32KB
-
memory/3436-168-0x000000001C300000-0x000000001C350000-memory.dmpFilesize
320KB
-
memory/3436-169-0x000000001C350000-0x000000001C354000-memory.dmpFilesize
16KB
-
memory/3436-170-0x000000001C360000-0x000000001C362000-memory.dmpFilesize
8KB
-
memory/3436-171-0x000000001C370000-0x000000001C371000-memory.dmpFilesize
4KB
-
memory/3436-172-0x000000001E370000-0x000000001E371000-memory.dmpFilesize
4KB
-
memory/4788-160-0x0000000000000000-mapping.dmp