Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2022 19:41
Static task
static1
Behavioral task
behavioral1
Sample
06cb1bb9f65f954677aa5e66cfecad10.exe
Resource
win7-20220901-en
General
-
Target
06cb1bb9f65f954677aa5e66cfecad10.exe
-
Size
4.9MB
-
MD5
06cb1bb9f65f954677aa5e66cfecad10
-
SHA1
7226decd411a371d2727b8b6742f578425b0a7c2
-
SHA256
4faa19632922332b8aedd25006c9c3349bcb9f2bf24bf116857258a7769efbf0
-
SHA512
ea81cca73a9abad99666e974ae73b9cc38d19fa666b0914d518dee731eab4ed2ed3b7797f453db2f0f22ce6cdc2866591ac0cc56aa01d7530b29e30da8cc098b
-
SSDEEP
49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 4220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3556 4220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 4220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 4220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4180 4220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3884 4220 schtasks.exe -
Processes:
wininit.exe06cb1bb9f65f954677aa5e66cfecad10.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 06cb1bb9f65f954677aa5e66cfecad10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 06cb1bb9f65f954677aa5e66cfecad10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 06cb1bb9f65f954677aa5e66cfecad10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe -
Executes dropped EXE 7 IoCs
Processes:
tmpF8BC.tmp.exetmpF8BC.tmp.exetmpF8BC.tmp.exetmpF8BC.tmp.exewininit.exetmp972F.tmp.exetmp972F.tmp.exepid process 3604 tmpF8BC.tmp.exe 204 tmpF8BC.tmp.exe 4500 tmpF8BC.tmp.exe 3600 tmpF8BC.tmp.exe 3472 wininit.exe 260 tmp972F.tmp.exe 3244 tmp972F.tmp.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06cb1bb9f65f954677aa5e66cfecad10.exewininit.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 06cb1bb9f65f954677aa5e66cfecad10.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation wininit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Processes:
06cb1bb9f65f954677aa5e66cfecad10.exewininit.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 06cb1bb9f65f954677aa5e66cfecad10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 06cb1bb9f65f954677aa5e66cfecad10.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 ipinfo.io 34 ipinfo.io -
Suspicious use of SetThreadContext 2 IoCs
Processes:
tmpF8BC.tmp.exetmp972F.tmp.exedescription pid process target process PID 4500 set thread context of 3600 4500 tmpF8BC.tmp.exe tmpF8BC.tmp.exe PID 260 set thread context of 3244 260 tmp972F.tmp.exe tmp972F.tmp.exe -
Drops file in Windows directory 5 IoCs
Processes:
06cb1bb9f65f954677aa5e66cfecad10.exedescription ioc process File created C:\Windows\ShellComponents\56085415360792 06cb1bb9f65f954677aa5e66cfecad10.exe File opened for modification C:\Windows\ShellComponents\RCX10B.tmp 06cb1bb9f65f954677aa5e66cfecad10.exe File created C:\Windows\System\Speech\fontdrvhost.exe 06cb1bb9f65f954677aa5e66cfecad10.exe File created C:\Windows\ShellComponents\wininit.exe 06cb1bb9f65f954677aa5e66cfecad10.exe File opened for modification C:\Windows\ShellComponents\wininit.exe 06cb1bb9f65f954677aa5e66cfecad10.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4180 schtasks.exe 3884 schtasks.exe 2020 schtasks.exe 3556 schtasks.exe 2300 schtasks.exe 5036 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
06cb1bb9f65f954677aa5e66cfecad10.exewininit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 06cb1bb9f65f954677aa5e66cfecad10.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings wininit.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
06cb1bb9f65f954677aa5e66cfecad10.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exepid process 4648 06cb1bb9f65f954677aa5e66cfecad10.exe 4648 06cb1bb9f65f954677aa5e66cfecad10.exe 4648 06cb1bb9f65f954677aa5e66cfecad10.exe 4648 06cb1bb9f65f954677aa5e66cfecad10.exe 4648 06cb1bb9f65f954677aa5e66cfecad10.exe 808 powershell.exe 808 powershell.exe 968 powershell.exe 968 powershell.exe 4324 powershell.exe 4324 powershell.exe 900 powershell.exe 900 powershell.exe 760 powershell.exe 760 powershell.exe 1852 powershell.exe 1852 powershell.exe 1844 powershell.exe 1844 powershell.exe 3296 powershell.exe 3296 powershell.exe 1316 powershell.exe 1316 powershell.exe 2848 powershell.exe 2848 powershell.exe 2528 powershell.exe 2528 powershell.exe 1956 powershell.exe 1956 powershell.exe 808 powershell.exe 808 powershell.exe 968 powershell.exe 900 powershell.exe 4324 powershell.exe 760 powershell.exe 1852 powershell.exe 1316 powershell.exe 1844 powershell.exe 3296 powershell.exe 2848 powershell.exe 2528 powershell.exe 1956 powershell.exe 3472 wininit.exe 3472 wininit.exe 3472 wininit.exe 3472 wininit.exe 3472 wininit.exe 3472 wininit.exe 3472 wininit.exe 3472 wininit.exe 3472 wininit.exe 3472 wininit.exe 3472 wininit.exe 3472 wininit.exe 3472 wininit.exe 3472 wininit.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
06cb1bb9f65f954677aa5e66cfecad10.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exedescription pid process Token: SeDebugPrivilege 4648 06cb1bb9f65f954677aa5e66cfecad10.exe Token: SeDebugPrivilege 808 powershell.exe Token: SeDebugPrivilege 760 powershell.exe Token: SeDebugPrivilege 968 powershell.exe Token: SeDebugPrivilege 4324 powershell.exe Token: SeDebugPrivilege 900 powershell.exe Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 3296 powershell.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 3472 wininit.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wininit.exepid process 3472 wininit.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
06cb1bb9f65f954677aa5e66cfecad10.exetmpF8BC.tmp.exetmpF8BC.tmp.exetmpF8BC.tmp.exewininit.exetmp972F.tmp.exedescription pid process target process PID 4648 wrote to memory of 3604 4648 06cb1bb9f65f954677aa5e66cfecad10.exe tmpF8BC.tmp.exe PID 4648 wrote to memory of 3604 4648 06cb1bb9f65f954677aa5e66cfecad10.exe tmpF8BC.tmp.exe PID 4648 wrote to memory of 3604 4648 06cb1bb9f65f954677aa5e66cfecad10.exe tmpF8BC.tmp.exe PID 3604 wrote to memory of 204 3604 tmpF8BC.tmp.exe tmpF8BC.tmp.exe PID 3604 wrote to memory of 204 3604 tmpF8BC.tmp.exe tmpF8BC.tmp.exe PID 3604 wrote to memory of 204 3604 tmpF8BC.tmp.exe tmpF8BC.tmp.exe PID 204 wrote to memory of 4500 204 tmpF8BC.tmp.exe tmpF8BC.tmp.exe PID 204 wrote to memory of 4500 204 tmpF8BC.tmp.exe tmpF8BC.tmp.exe PID 204 wrote to memory of 4500 204 tmpF8BC.tmp.exe tmpF8BC.tmp.exe PID 4500 wrote to memory of 3600 4500 tmpF8BC.tmp.exe tmpF8BC.tmp.exe PID 4500 wrote to memory of 3600 4500 tmpF8BC.tmp.exe tmpF8BC.tmp.exe PID 4500 wrote to memory of 3600 4500 tmpF8BC.tmp.exe tmpF8BC.tmp.exe PID 4500 wrote to memory of 3600 4500 tmpF8BC.tmp.exe tmpF8BC.tmp.exe PID 4500 wrote to memory of 3600 4500 tmpF8BC.tmp.exe tmpF8BC.tmp.exe PID 4500 wrote to memory of 3600 4500 tmpF8BC.tmp.exe tmpF8BC.tmp.exe PID 4500 wrote to memory of 3600 4500 tmpF8BC.tmp.exe tmpF8BC.tmp.exe PID 4648 wrote to memory of 808 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 808 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 760 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 760 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 968 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 968 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 900 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 900 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 1852 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 1852 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 4324 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 4324 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 1844 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 1844 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 3296 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 3296 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 2848 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 2848 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 1316 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 1316 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 1956 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 1956 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 2528 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 2528 4648 06cb1bb9f65f954677aa5e66cfecad10.exe powershell.exe PID 4648 wrote to memory of 3472 4648 06cb1bb9f65f954677aa5e66cfecad10.exe wininit.exe PID 4648 wrote to memory of 3472 4648 06cb1bb9f65f954677aa5e66cfecad10.exe wininit.exe PID 3472 wrote to memory of 260 3472 wininit.exe tmp972F.tmp.exe PID 3472 wrote to memory of 260 3472 wininit.exe tmp972F.tmp.exe PID 3472 wrote to memory of 260 3472 wininit.exe tmp972F.tmp.exe PID 260 wrote to memory of 3244 260 tmp972F.tmp.exe tmp972F.tmp.exe PID 260 wrote to memory of 3244 260 tmp972F.tmp.exe tmp972F.tmp.exe PID 260 wrote to memory of 3244 260 tmp972F.tmp.exe tmp972F.tmp.exe PID 260 wrote to memory of 3244 260 tmp972F.tmp.exe tmp972F.tmp.exe PID 260 wrote to memory of 3244 260 tmp972F.tmp.exe tmp972F.tmp.exe PID 260 wrote to memory of 3244 260 tmp972F.tmp.exe tmp972F.tmp.exe PID 260 wrote to memory of 3244 260 tmp972F.tmp.exe tmp972F.tmp.exe PID 3472 wrote to memory of 2364 3472 wininit.exe WScript.exe PID 3472 wrote to memory of 2364 3472 wininit.exe WScript.exe PID 3472 wrote to memory of 4028 3472 wininit.exe WScript.exe PID 3472 wrote to memory of 4028 3472 wininit.exe WScript.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
06cb1bb9f65f954677aa5e66cfecad10.exewininit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 06cb1bb9f65f954677aa5e66cfecad10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 06cb1bb9f65f954677aa5e66cfecad10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 06cb1bb9f65f954677aa5e66cfecad10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06cb1bb9f65f954677aa5e66cfecad10.exe"C:\Users\Admin\AppData\Local\Temp\06cb1bb9f65f954677aa5e66cfecad10.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:204 -
C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe"5⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3296 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Windows\ShellComponents\wininit.exe"C:\Windows\ShellComponents\wininit.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\tmp972F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp972F.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:260 -
C:\Users\Admin\AppData\Local\Temp\tmp972F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp972F.tmp.exe"4⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6b25c67-b63c-4af4-9af3-82aafaaf80a0.vbs"3⤵PID:2364
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf54d50b-189e-4011-b8e0-4238d33b324a.vbs"3⤵PID:4028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellComponents\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ShellComponents\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellComponents\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\My Documents\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\My Documents\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
714B
MD5af41f7a7cabee6f74596de4e097bb80e
SHA129237ba92748d98d7b9c28549f49c7ca95f62be9
SHA256d6cea33c3eae9f07eb81d48a3ed2f7341ff07f5d6b297c1661f5045390e6f558
SHA512b06404219ded85f0844ea8d56df99a6eaa543dc40019fb2aec4f97887fbbfb8af650d5caa45cc3d236bc7a566d777bf1b06d891e446f3db3bac02ed07532d6f4
-
Filesize
490B
MD54111a36294777424783f46b12228a760
SHA11e1818961ccc2cd3af546874da0f7fe9a6b2e9d6
SHA256775e90cfcd95eb7c5251164a1ac6ba464feff6d8ebad6ead880d98c120bbf7b7
SHA512ecf4dc2424d443e615a7079d1abe527d13c157e500ca62dbd521e59046c02855e8d3f3e22d15210bb733f23ec5c685ed6a25f26e4f73b1292b3196d6532de005
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
4.9MB
MD5edea1ba139a7a0c24ba1c90e07db6657
SHA1e39984a3df1afc09ffb85be64a2a93bd0c37acbb
SHA2569f265d81be450276e57de81011d944bc6c43e0b1ffb29e23df5ae00db19a18f2
SHA5129d88bba9f3a3d2dace5e05c50638688b49208fdde98facb9e824dd100ba3bde974a35b5b825e8e7b84c3e28b6771951d7a95f5127638d9df813d464a0d7c2249
-
Filesize
4.9MB
MD5edea1ba139a7a0c24ba1c90e07db6657
SHA1e39984a3df1afc09ffb85be64a2a93bd0c37acbb
SHA2569f265d81be450276e57de81011d944bc6c43e0b1ffb29e23df5ae00db19a18f2
SHA5129d88bba9f3a3d2dace5e05c50638688b49208fdde98facb9e824dd100ba3bde974a35b5b825e8e7b84c3e28b6771951d7a95f5127638d9df813d464a0d7c2249