1a6fd38ece3d73b6612263fed6de4c553cbb46d6e5637e6cd6214ade39b81782

Analysis

max time kernel
57s
max time network
60s
platform
windows7_x64
resource
win7-20220414-en
submitted
28-04-2022 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MethamphetamineSolutionsLoader.exe
Size

8.0MB
MD5

760862da38d026ae351dca91202add60
SHA1

ae1def931735a30a44e93a66afa2e72d9d72d8e9
SHA256

1a6fd38ece3d73b6612263fed6de4c553cbb46d6e5637e6cd6214ade39b81782
SHA512

c529abf8099c96b0cfffa023f6d5b6b5dc2c2bcb73e1720042a8a842904cba068d7dcad873019b790fe125670331c791122eb8806fe91711a01987bda2d79bd8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1492	RtgNSlMYtFvlTt52WHci.exe
520	netmonitor.exe
956	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1656	cmd.exe
888	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1012	schtasks.exe
748	schtasks.exe
872	schtasks.exe
756	schtasks.exe
1936	schtasks.exe
856	schtasks.exe
1540	schtasks.exe
808	schtasks.exe
1428	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	taskhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	taskhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	taskhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	taskhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	taskhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	taskhost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
520	netmonitor.exe
956	taskhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	520	netmonitor.exe
Token: SeDebugPrivilege	956	taskhost.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1696	2024	MethamphetamineSolutionsLoader.exe	27
PID 2024 wrote to memory of 1696	2024	MethamphetamineSolutionsLoader.exe	27
PID 2024 wrote to memory of 1696	2024	MethamphetamineSolutionsLoader.exe	27
PID 2024 wrote to memory of 1696	2024	MethamphetamineSolutionsLoader.exe	27
PID 1696 wrote to memory of 1656	1696	WScript.exe	28
PID 1696 wrote to memory of 1656	1696	WScript.exe	28
PID 1696 wrote to memory of 1656	1696	WScript.exe	28
PID 1696 wrote to memory of 1656	1696	WScript.exe	28
PID 1656 wrote to memory of 1492	1656	cmd.exe	30
PID 1656 wrote to memory of 1492	1656	cmd.exe	30
PID 1656 wrote to memory of 1492	1656	cmd.exe	30
PID 1656 wrote to memory of 1492	1656	cmd.exe	30
PID 1492 wrote to memory of 1384	1492	RtgNSlMYtFvlTt52WHci.exe	31
PID 1492 wrote to memory of 1384	1492	RtgNSlMYtFvlTt52WHci.exe	31
PID 1492 wrote to memory of 1384	1492	RtgNSlMYtFvlTt52WHci.exe	31
PID 1492 wrote to memory of 1384	1492	RtgNSlMYtFvlTt52WHci.exe	31
PID 1492 wrote to memory of 1616	1492	RtgNSlMYtFvlTt52WHci.exe	32
PID 1492 wrote to memory of 1616	1492	RtgNSlMYtFvlTt52WHci.exe	32
PID 1492 wrote to memory of 1616	1492	RtgNSlMYtFvlTt52WHci.exe	32
PID 1492 wrote to memory of 1616	1492	RtgNSlMYtFvlTt52WHci.exe	32
PID 1384 wrote to memory of 888	1384	WScript.exe	33
PID 1384 wrote to memory of 888	1384	WScript.exe	33
PID 1384 wrote to memory of 888	1384	WScript.exe	33
PID 1384 wrote to memory of 888	1384	WScript.exe	33
PID 888 wrote to memory of 520	888	cmd.exe	35
PID 888 wrote to memory of 520	888	cmd.exe	35
PID 888 wrote to memory of 520	888	cmd.exe	35
PID 888 wrote to memory of 520	888	cmd.exe	35
PID 520 wrote to memory of 1428	520	netmonitor.exe	37
PID 520 wrote to memory of 1428	520	netmonitor.exe	37
PID 520 wrote to memory of 1428	520	netmonitor.exe	37
PID 520 wrote to memory of 872	520	netmonitor.exe	39
PID 520 wrote to memory of 872	520	netmonitor.exe	39
PID 520 wrote to memory of 872	520	netmonitor.exe	39
PID 520 wrote to memory of 756	520	netmonitor.exe	41
PID 520 wrote to memory of 756	520	netmonitor.exe	41
PID 520 wrote to memory of 756	520	netmonitor.exe	41
PID 520 wrote to memory of 748	520	netmonitor.exe	43
PID 520 wrote to memory of 748	520	netmonitor.exe	43
PID 520 wrote to memory of 748	520	netmonitor.exe	43
PID 520 wrote to memory of 1936	520	netmonitor.exe	45
PID 520 wrote to memory of 1936	520	netmonitor.exe	45
PID 520 wrote to memory of 1936	520	netmonitor.exe	45
PID 520 wrote to memory of 1012	520	netmonitor.exe	47
PID 520 wrote to memory of 1012	520	netmonitor.exe	47
PID 520 wrote to memory of 1012	520	netmonitor.exe	47
PID 520 wrote to memory of 856	520	netmonitor.exe	49
PID 520 wrote to memory of 856	520	netmonitor.exe	49
PID 520 wrote to memory of 856	520	netmonitor.exe	49
PID 520 wrote to memory of 1540	520	netmonitor.exe	51
PID 520 wrote to memory of 1540	520	netmonitor.exe	51
PID 520 wrote to memory of 1540	520	netmonitor.exe	51
PID 520 wrote to memory of 808	520	netmonitor.exe	53
PID 520 wrote to memory of 808	520	netmonitor.exe	53
PID 520 wrote to memory of 808	520	netmonitor.exe	53
PID 520 wrote to memory of 956	520	netmonitor.exe	55
PID 520 wrote to memory of 956	520	netmonitor.exe	55
PID 520 wrote to memory of 956	520	netmonitor.exe	55

C:\Users\Admin\AppData\Local\Temp\MethamphetamineSolutionsLoader.exe
"C:\Users\Admin\AppData\Local\Temp\MethamphetamineSolutionsLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitordhcp\FvrnkODJoiUIyeHAEoTP0Qn5ZC7TdH.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\monitordhcp\z1T7e01kTYgKk52k4EOgwkfTxey3zt.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\monitordhcp\RtgNSlMYtFvlTt52WHci.exe
      RtgNSlMYtFvlTt52WHci.exe -p721e19c01b35f90a5d4059aedd8f740b779e743b
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitordhcp\4mdxDUI6yqvmVknEtk7bYzbiBR8MHO.vbe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1384
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\monitordhcp\3hvxTv4ZROtMpYMGDajjCJWH8roHGs.bat" "
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\monitordhcp\netmonitor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\monitordhcp\netmonitor.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:520
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\ProgramData\Templates\svchost.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:1428
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\csrss.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:872
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\PerfLogs\Admin\winlogon.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:756
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\services.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:748
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Recovery\619fcb42-bc70-11ec-bd6f-84e31b84a9f2\svchost.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:1936
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\Admin\csrss.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:1012
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links for United States\sppsvc.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:856
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:1540
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\PerfLogs\Admin\taskhost.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:808
        
        C:\PerfLogs\Admin\taskhost.exe
        
        "C:\PerfLogs\Admin\taskhost.exe"
        8⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitordhcp\msg.vbs"
        5⤵
        
        PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\taskhost.exe

Filesize
1.6MB

MD5
22097aca271c6d085b703bc64422b4b3

SHA1
a1e7d6cddc40cdcb675ecd72404d5cec66f7be5b

SHA256
4b111342f4fc80eb249bf89f3352b067d0591b9ffb24a74b49a301af5deef133

SHA512
9eb7452981524698e4dc0db065614cea5d7f422f386801d57eca6dd93d67a686d573cd241b045f1fe9033c204f33b27861ed5b139004b65b4f07be9426969603

Download Submit
C:\PerfLogs\Admin\taskhost.exe

Filesize
1.6MB

MD5
22097aca271c6d085b703bc64422b4b3

SHA1
a1e7d6cddc40cdcb675ecd72404d5cec66f7be5b

SHA256
4b111342f4fc80eb249bf89f3352b067d0591b9ffb24a74b49a301af5deef133

SHA512
9eb7452981524698e4dc0db065614cea5d7f422f386801d57eca6dd93d67a686d573cd241b045f1fe9033c204f33b27861ed5b139004b65b4f07be9426969603

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\3hvxTv4ZROtMpYMGDajjCJWH8roHGs.bat

Filesize
35B

MD5
4b64bbf9c835fdb21a4fd461d38a3a65

SHA1
5fff8b8e5c48a0e8de844b42c771041ffcdb84af

SHA256
ecfc21fd14339226b1c2e0a40be6fe6c590ac05cab44b16e7db397f9471f4ddf

SHA512
c11f3ed222b7fdceae583ec0bd9156a0beb030058edfc3c6656d4738e2cdd2b1dccd5b11d13ed53160970258c80cb0baa4ef5592411cb23c077b1e99c7d56892

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\4mdxDUI6yqvmVknEtk7bYzbiBR8MHO.vbe

Filesize
227B

MD5
abdcd2987b40e0022f1f4f782e5e289b

SHA1
fc5606a2292d892a0866858e1f822a0fd18e452b

SHA256
6ef2819df6d9e68e766c153dd3ada646d70c0f8cd1326c7dc2eff9b6f4681f5a

SHA512
9376bd090379e0fd1bd223e1484974da6630de1de17ef8049c0361dd531e24fb7873cab4d1151c78409a22827e38606fd73fb91d501b782fde40a9a5cd28e4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\FvrnkODJoiUIyeHAEoTP0Qn5ZC7TdH.vbe

Filesize
151B

MD5
90c3382006ed7324e7abf37fb98894f9

SHA1
b54b59c945f8cc5bef2c66361eaac9bfdcab7960

SHA256
9505847a0d9c07c385abb1e236c5ef2d3763e69c9eb8d7faba37486d31e0827e

SHA512
b0b4ed5929d980abef8027c8861057a7910ab5f5f64d08bb9667d4ddaea906c6330eb28a5bce7fe6daf872bb18eefd3e148a900b66b3079411c0b7d9da6dc9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\MOS

Filesize
123B

MD5
a96f5f02c199e5179c09381c73f74232

SHA1
815ae72244d01d7491e3c9e1764180164ed9f0de

SHA256
31f4fd990ffee590b8e3a70c66fdd7d18cb18869dea7d1a73a7e898c6d2e2a74

SHA512
8eb5a654adc07373f0557205f674aace467a9cb5be2f6ea9a253e13846a5fc3078b42f836428f040f9c9a23a757a33df05ba61f0c1406f112aaa54cd4b8cccb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\RtgNSlMYtFvlTt52WHci.exe

Filesize
1.3MB

MD5
98b49b687aad9b0dcccebaa71d43747d

SHA1
1966ff6f232856e7e25b66f570a02c54960dd1f6

SHA256
d4ca9a4ea5d070206824a2b68921c4bdfa7bf038e0f82cfeb0472b17881fbcaf

SHA512
02b6a009eca115e09e6228e834ba0654c2804a0b07fda088116412a71f45b59c25f24ab7ceb54a7c1c5d628395e7bc55b94f0240c7438571c4e0c2a9db208ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\RtgNSlMYtFvlTt52WHci.exe

Filesize
1.3MB

MD5
98b49b687aad9b0dcccebaa71d43747d

SHA1
1966ff6f232856e7e25b66f570a02c54960dd1f6

SHA256
d4ca9a4ea5d070206824a2b68921c4bdfa7bf038e0f82cfeb0472b17881fbcaf

SHA512
02b6a009eca115e09e6228e834ba0654c2804a0b07fda088116412a71f45b59c25f24ab7ceb54a7c1c5d628395e7bc55b94f0240c7438571c4e0c2a9db208ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\msg.vbs

Filesize
128B

MD5
01c71ea2d98437129936261c48403132

SHA1
dc689fb68a3e7e09a334e7a37c0d10d0641af1a6

SHA256
0401f2dd76d5ed6f90c82b72e1e7a122ef127bedbaf717532c4bba26d43a0061

SHA512
a668d4216a50ccc699221dd902d8b0f864e44368dc7474fa5659a739154d4e769b85d49b60a73affb8fba7628e7210b0f8106d5652006d1bbba67083513e65d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\netmonitor.exe

Filesize
1.6MB

MD5
22097aca271c6d085b703bc64422b4b3

SHA1
a1e7d6cddc40cdcb675ecd72404d5cec66f7be5b

SHA256
4b111342f4fc80eb249bf89f3352b067d0591b9ffb24a74b49a301af5deef133

SHA512
9eb7452981524698e4dc0db065614cea5d7f422f386801d57eca6dd93d67a686d573cd241b045f1fe9033c204f33b27861ed5b139004b65b4f07be9426969603

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\netmonitor.exe

Filesize
1.6MB

MD5
22097aca271c6d085b703bc64422b4b3

SHA1
a1e7d6cddc40cdcb675ecd72404d5cec66f7be5b

SHA256
4b111342f4fc80eb249bf89f3352b067d0591b9ffb24a74b49a301af5deef133

SHA512
9eb7452981524698e4dc0db065614cea5d7f422f386801d57eca6dd93d67a686d573cd241b045f1fe9033c204f33b27861ed5b139004b65b4f07be9426969603

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\z1T7e01kTYgKk52k4EOgwkfTxey3zt.bat

Filesize
625B

MD5
6176c194ea1490ee585985a9374a7f63

SHA1
eff00b803ad20094c8a8121d81af3e12aae32a43

SHA256
72fc248e868a01f354f6d679389d7b75e6cb53212367221b9599c753a7abe095

SHA512
09ebe600cccdbdbe2441b8d147531fe9470a5c7103cf70e71d45d8176d59e3343dbe26e7aab8a1be3356546ee11c7c367857c1452a4a1bc65df21ceb9ae3513d

Download Submit
\Users\Admin\AppData\Local\Temp\monitordhcp\RtgNSlMYtFvlTt52WHci.exe

Filesize
1.3MB

MD5
98b49b687aad9b0dcccebaa71d43747d

SHA1
1966ff6f232856e7e25b66f570a02c54960dd1f6

SHA256
d4ca9a4ea5d070206824a2b68921c4bdfa7bf038e0f82cfeb0472b17881fbcaf

SHA512
02b6a009eca115e09e6228e834ba0654c2804a0b07fda088116412a71f45b59c25f24ab7ceb54a7c1c5d628395e7bc55b94f0240c7438571c4e0c2a9db208ee2

Download Submit
\Users\Admin\AppData\Local\Temp\monitordhcp\netmonitor.exe

Filesize
1.6MB

MD5
22097aca271c6d085b703bc64422b4b3

SHA1
a1e7d6cddc40cdcb675ecd72404d5cec66f7be5b

SHA256
4b111342f4fc80eb249bf89f3352b067d0591b9ffb24a74b49a301af5deef133

SHA512
9eb7452981524698e4dc0db065614cea5d7f422f386801d57eca6dd93d67a686d573cd241b045f1fe9033c204f33b27861ed5b139004b65b4f07be9426969603

Download Submit
memory/520-78-0x0000000000EA0000-0x0000000001048000-memory.dmp

Filesize
1.7MB

Download
memory/520-79-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/956-93-0x0000000000290000-0x00000000002AA000-memory.dmp

Filesize
104KB

Download
memory/956-92-0x0000000000EB0000-0x0000000001058000-memory.dmp

Filesize
1.7MB

Download
memory/2024-54-0x0000000075381000-0x0000000075383000-memory.dmp

Filesize
8KB

Download