Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
01/11/2022, 10:35
Behavioral task
behavioral1
Sample
c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367.exe
Resource
win10-20220901-en
General
-
Target
c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367.exe
-
Size
1.3MB
-
MD5
1cb3a68c922a55da025b4ea67218a756
-
SHA1
90c6d42f3a0e6482aa9cb3a27c7b0d22bd69604d
-
SHA256
c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367
-
SHA512
42b5e3dd12866bfaa357f8e3206e86115d232030667b2de5e10f58bebe2c87c3a7f6b6e40f63d3fa7c785f8261e3a60a70d9292bf8461764fd24919accb7d081
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5000 4996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4684 4996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 4996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 4996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5016 4996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 4996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4936 4996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4872 4996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 4996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 4996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4832 4996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 4996 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000900000001abbe-284.dat dcrat behavioral1/files/0x000900000001abbe-285.dat dcrat behavioral1/memory/3424-286-0x0000000000F70000-0x0000000001080000-memory.dmp dcrat behavioral1/files/0x000600000001abcf-304.dat dcrat behavioral1/files/0x000600000001abcf-305.dat dcrat behavioral1/files/0x000600000001abcf-475.dat dcrat behavioral1/files/0x000600000001abcf-481.dat dcrat behavioral1/files/0x000600000001abcf-487.dat dcrat behavioral1/files/0x000600000001abcf-492.dat dcrat behavioral1/files/0x000600000001abcf-497.dat dcrat behavioral1/files/0x000600000001abcf-503.dat dcrat behavioral1/files/0x000600000001abcf-508.dat dcrat behavioral1/files/0x000600000001abcf-514.dat dcrat behavioral1/files/0x000600000001abcf-520.dat dcrat behavioral1/files/0x000600000001abcf-526.dat dcrat -
Executes dropped EXE 12 IoCs
pid Process 3424 DllCommonsvc.exe 2688 Idle.exe 1972 Idle.exe 4428 Idle.exe 4704 Idle.exe 3512 Idle.exe 4560 Idle.exe 1168 Idle.exe 4264 Idle.exe 1052 Idle.exe 68 Idle.exe 340 Idle.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Provisioning\Packages\csrss.exe DllCommonsvc.exe File created C:\Windows\Provisioning\Packages\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4684 schtasks.exe 4472 schtasks.exe 4912 schtasks.exe 5060 schtasks.exe 4832 schtasks.exe 5000 schtasks.exe 5016 schtasks.exe 5024 schtasks.exe 4936 schtasks.exe 4872 schtasks.exe 4880 schtasks.exe 4664 schtasks.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings Idle.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 3424 DllCommonsvc.exe 3424 DllCommonsvc.exe 3424 DllCommonsvc.exe 2420 powershell.exe 2664 powershell.exe 3236 powershell.exe 2424 powershell.exe 4732 powershell.exe 2420 powershell.exe 4732 powershell.exe 2424 powershell.exe 2688 Idle.exe 2420 powershell.exe 2664 powershell.exe 3236 powershell.exe 4732 powershell.exe 2424 powershell.exe 2664 powershell.exe 3236 powershell.exe 1972 Idle.exe 4428 Idle.exe 4704 Idle.exe 3512 Idle.exe 4560 Idle.exe 1168 Idle.exe 4264 Idle.exe 1052 Idle.exe 68 Idle.exe 340 Idle.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3424 DllCommonsvc.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 3236 powershell.exe Token: SeDebugPrivilege 2688 Idle.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 4732 powershell.exe Token: SeIncreaseQuotaPrivilege 2420 powershell.exe Token: SeSecurityPrivilege 2420 powershell.exe Token: SeTakeOwnershipPrivilege 2420 powershell.exe Token: SeLoadDriverPrivilege 2420 powershell.exe Token: SeSystemProfilePrivilege 2420 powershell.exe Token: SeSystemtimePrivilege 2420 powershell.exe Token: SeProfSingleProcessPrivilege 2420 powershell.exe Token: SeIncBasePriorityPrivilege 2420 powershell.exe Token: SeCreatePagefilePrivilege 2420 powershell.exe Token: SeBackupPrivilege 2420 powershell.exe Token: SeRestorePrivilege 2420 powershell.exe Token: SeShutdownPrivilege 2420 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeSystemEnvironmentPrivilege 2420 powershell.exe Token: SeRemoteShutdownPrivilege 2420 powershell.exe Token: SeUndockPrivilege 2420 powershell.exe Token: SeManageVolumePrivilege 2420 powershell.exe Token: 33 2420 powershell.exe Token: 34 2420 powershell.exe Token: 35 2420 powershell.exe Token: 36 2420 powershell.exe Token: SeIncreaseQuotaPrivilege 4732 powershell.exe Token: SeSecurityPrivilege 4732 powershell.exe Token: SeTakeOwnershipPrivilege 4732 powershell.exe Token: SeLoadDriverPrivilege 4732 powershell.exe Token: SeSystemProfilePrivilege 4732 powershell.exe Token: SeSystemtimePrivilege 4732 powershell.exe Token: SeProfSingleProcessPrivilege 4732 powershell.exe Token: SeIncBasePriorityPrivilege 4732 powershell.exe Token: SeCreatePagefilePrivilege 4732 powershell.exe Token: SeBackupPrivilege 4732 powershell.exe Token: SeRestorePrivilege 4732 powershell.exe Token: SeShutdownPrivilege 4732 powershell.exe Token: SeDebugPrivilege 4732 powershell.exe Token: SeSystemEnvironmentPrivilege 4732 powershell.exe Token: SeRemoteShutdownPrivilege 4732 powershell.exe Token: SeUndockPrivilege 4732 powershell.exe Token: SeManageVolumePrivilege 4732 powershell.exe Token: 33 4732 powershell.exe Token: 34 4732 powershell.exe Token: 35 4732 powershell.exe Token: 36 4732 powershell.exe Token: SeIncreaseQuotaPrivilege 2424 powershell.exe Token: SeSecurityPrivilege 2424 powershell.exe Token: SeTakeOwnershipPrivilege 2424 powershell.exe Token: SeLoadDriverPrivilege 2424 powershell.exe Token: SeSystemProfilePrivilege 2424 powershell.exe Token: SeSystemtimePrivilege 2424 powershell.exe Token: SeProfSingleProcessPrivilege 2424 powershell.exe Token: SeIncBasePriorityPrivilege 2424 powershell.exe Token: SeCreatePagefilePrivilege 2424 powershell.exe Token: SeBackupPrivilege 2424 powershell.exe Token: SeRestorePrivilege 2424 powershell.exe Token: SeShutdownPrivilege 2424 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeSystemEnvironmentPrivilege 2424 powershell.exe Token: SeRemoteShutdownPrivilege 2424 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4944 wrote to memory of 2024 4944 c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367.exe 66 PID 4944 wrote to memory of 2024 4944 c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367.exe 66 PID 4944 wrote to memory of 2024 4944 c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367.exe 66 PID 2024 wrote to memory of 4240 2024 WScript.exe 67 PID 2024 wrote to memory of 4240 2024 WScript.exe 67 PID 2024 wrote to memory of 4240 2024 WScript.exe 67 PID 4240 wrote to memory of 3424 4240 cmd.exe 69 PID 4240 wrote to memory of 3424 4240 cmd.exe 69 PID 3424 wrote to memory of 2420 3424 DllCommonsvc.exe 83 PID 3424 wrote to memory of 2420 3424 DllCommonsvc.exe 83 PID 3424 wrote to memory of 2664 3424 DllCommonsvc.exe 85 PID 3424 wrote to memory of 2664 3424 DllCommonsvc.exe 85 PID 3424 wrote to memory of 2424 3424 DllCommonsvc.exe 91 PID 3424 wrote to memory of 2424 3424 DllCommonsvc.exe 91 PID 3424 wrote to memory of 3236 3424 DllCommonsvc.exe 89 PID 3424 wrote to memory of 3236 3424 DllCommonsvc.exe 89 PID 3424 wrote to memory of 4732 3424 DllCommonsvc.exe 88 PID 3424 wrote to memory of 4732 3424 DllCommonsvc.exe 88 PID 3424 wrote to memory of 2688 3424 DllCommonsvc.exe 93 PID 3424 wrote to memory of 2688 3424 DllCommonsvc.exe 93 PID 2688 wrote to memory of 4060 2688 Idle.exe 95 PID 2688 wrote to memory of 4060 2688 Idle.exe 95 PID 4060 wrote to memory of 3228 4060 cmd.exe 97 PID 4060 wrote to memory of 3228 4060 cmd.exe 97 PID 4060 wrote to memory of 1972 4060 cmd.exe 98 PID 4060 wrote to memory of 1972 4060 cmd.exe 98 PID 1972 wrote to memory of 5060 1972 Idle.exe 99 PID 1972 wrote to memory of 5060 1972 Idle.exe 99 PID 5060 wrote to memory of 5052 5060 cmd.exe 101 PID 5060 wrote to memory of 5052 5060 cmd.exe 101 PID 5060 wrote to memory of 4428 5060 cmd.exe 102 PID 5060 wrote to memory of 4428 5060 cmd.exe 102 PID 4428 wrote to memory of 4296 4428 Idle.exe 103 PID 4428 wrote to memory of 4296 4428 Idle.exe 103 PID 4296 wrote to memory of 552 4296 cmd.exe 105 PID 4296 wrote to memory of 552 4296 cmd.exe 105 PID 4296 wrote to memory of 4704 4296 cmd.exe 106 PID 4296 wrote to memory of 4704 4296 cmd.exe 106 PID 4704 wrote to memory of 3876 4704 Idle.exe 108 PID 4704 wrote to memory of 3876 4704 Idle.exe 108 PID 3876 wrote to memory of 372 3876 cmd.exe 109 PID 3876 wrote to memory of 372 3876 cmd.exe 109 PID 3876 wrote to memory of 3512 3876 cmd.exe 110 PID 3876 wrote to memory of 3512 3876 cmd.exe 110 PID 3512 wrote to memory of 4600 3512 Idle.exe 111 PID 3512 wrote to memory of 4600 3512 Idle.exe 111 PID 4600 wrote to memory of 3600 4600 cmd.exe 113 PID 4600 wrote to memory of 3600 4600 cmd.exe 113 PID 4600 wrote to memory of 4560 4600 cmd.exe 114 PID 4600 wrote to memory of 4560 4600 cmd.exe 114 PID 4560 wrote to memory of 96 4560 Idle.exe 115 PID 4560 wrote to memory of 96 4560 Idle.exe 115 PID 96 wrote to memory of 3968 96 cmd.exe 117 PID 96 wrote to memory of 3968 96 cmd.exe 117 PID 96 wrote to memory of 1168 96 cmd.exe 118 PID 96 wrote to memory of 1168 96 cmd.exe 118 PID 1168 wrote to memory of 1200 1168 Idle.exe 119 PID 1168 wrote to memory of 1200 1168 Idle.exe 119 PID 1200 wrote to memory of 4788 1200 cmd.exe 121 PID 1200 wrote to memory of 4788 1200 cmd.exe 121 PID 1200 wrote to memory of 4264 1200 cmd.exe 122 PID 1200 wrote to memory of 4264 1200 cmd.exe 122 PID 4264 wrote to memory of 2296 4264 Idle.exe 123 PID 4264 wrote to memory of 2296 4264 Idle.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367.exe"C:\Users\Admin\AppData\Local\Temp\c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Packages\csrss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3228
-
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:5052
-
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:552
-
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:372
-
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3600
-
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:96 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:3968
-
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"18⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:4788
-
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"20⤵PID:2296
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:4668
-
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"22⤵PID:328
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:4588
-
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"23⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:68 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"24⤵PID:4708
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:4728
-
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"25⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat"26⤵PID:4232
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:5068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Packages\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Provisioning\Packages\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD500a91c4c518cfebfbe24e490abe0f129
SHA13a3d1d53a8123b0fa1ba8d3a69cd64e9ee88cb2f
SHA2565e806ed47f1895831dd1c9e3fd93050dd50125330ffb2630d18e70dafaa4a211
SHA5125189418607936fc322b041f6db7fc823d764fadac61fc3615a64f173721cc789162002bf5a55cd4a8ad947d9b5fc5ea6ccf707525ea6e84336b37e8f0fe7fc5b
-
Filesize
1KB
MD525836ba91a8abbc361fd8547d2d5a327
SHA172891660ec36837b0595ed387fa7cfededa29843
SHA2569309486ab1a88c95791433e7b42daad1bf81321cc83575b0aa5be64c57739ef4
SHA51222c9bc24290e9d6e6119fa064a00aa6a8e74e8bd667f2143cf07e10569c3348d72420f46b7cee7e6b05d289c2e54f6ce66a10b519192eeba9b8d41ddec1baf81
-
Filesize
1KB
MD525836ba91a8abbc361fd8547d2d5a327
SHA172891660ec36837b0595ed387fa7cfededa29843
SHA2569309486ab1a88c95791433e7b42daad1bf81321cc83575b0aa5be64c57739ef4
SHA51222c9bc24290e9d6e6119fa064a00aa6a8e74e8bd667f2143cf07e10569c3348d72420f46b7cee7e6b05d289c2e54f6ce66a10b519192eeba9b8d41ddec1baf81
-
Filesize
1KB
MD56727481a43190c75ba9caa977dea6c9c
SHA1df6b8c5c19c0621f507ca2352aae539b8894b7f9
SHA256884d326a83c972dcfcfda9d7ea03caeca91794af1fcaf2fa5450ace1f39ce894
SHA5129d1f6c84f6bad4d5a47b7abd43d2578ecb64be1870a7362828eb3e21d7dfb5a32e41c24b30a6e04651f87cafc5c046c2422b359e0ac306b83458b77b290fea9c
-
Filesize
230B
MD582e43be860698f01757c62d08e686e8d
SHA1c9e4d41a86658da730cce89c7b616f387757f90a
SHA2567940750b4a3311fbe1e355ea04c17ff4e8d7e358f1c754346430ef09025fdc8f
SHA51212b02e22c9fd0075279e62ef9fdfb02457e99a3f1b1f6669a0607b5f9574dbecb2f62567c615dd3b42e976255557f612db74402fdf8673e6e6f24b1a027a702e
-
Filesize
230B
MD549cce861ef7f7b0d6e29f02fcdcccd1a
SHA11c2fafdb220f236fe61b5f0eeb461068c3f6bde4
SHA25699622df326778754945069205a08584a2b5e0940bcdb731a92966b18a05b66c1
SHA512dda945c8eeaf7b7df5d7acc70b823351a32d7b77907e60ab4f3fdb39cd9d80243bdfc75c6f39a12be4f2d8146c19c1752114d8c5be34d82f1c4f89e1a91840ea
-
Filesize
230B
MD5c2cf49868bd5aae6c7dce9aa82531bd5
SHA166eec7f1e1d1e35e5e09a26b8872e7c31a223021
SHA256ca623ac948e02d223b68f9d8ab65ac88aabb05a8b881d22d9aca96318c4fe517
SHA512a1db8b82a35f487cd0e4fdefe04a124ab791de9cfb765f61be0f5a6d6fd5ec3964d79a4d03e3ff40694d38d1e3d328763c0e041d6a1261b61a5cbf93c7bd36b7
-
Filesize
230B
MD5ee609a43f26a5a433adf5e3b84df9e3e
SHA15887cb64d2d915fad238fd220671bcdd5b71a5db
SHA2569a9e5f862a7bb7b483c0593e6e33b6e869db4050cdf9173351d93bc45661ca11
SHA5128306b2bd0929c468e40db6e72a9ab0755cf8ba4b1257222edf82cc161b81a8180befd88ce2aff05b9514691cc0e81b2b9198bb45ed0759d0fc140a7c120acadd
-
Filesize
230B
MD5a01101e5d551ec2967731e86bef3cb71
SHA1a0153ff9b6d0ee9a3279b9f7068330bb6a2ef94e
SHA2563c4e4c725501a69fc1081716cc52e5512ae8bb8a1ba04b0a92d286530e792aaa
SHA51216ad877fe8d15de9214c509d8c876e30f31ee1c45008ea8f5c7ec4547d0d2b981cdf9777828e074f28302e83a8389eea7c9b0a8abb5782a39638613f56c0f4b8
-
Filesize
230B
MD54c9621b01fc1c796ef856a4efc30307e
SHA19ab12114d2d25dc85c1547b2f66acec9510f1baa
SHA2564d3cf047b6eb37dea4f31ba91baa1376844778d2ef982fdb516e98d8d82cec91
SHA5129fb2adfe34f5dfa83bcae03b8d4f2263a86544b15b03000df1247fcbe8ae1b12c4629bda0dd7ea67136dd5a1e2987f1a71455b77f329c313012185c6553c528b
-
Filesize
230B
MD53012ce3b54b8c6ebb0c01f76bcf72907
SHA10709cd89c1ee5277dd9216eb8d47b3a7f0e53d35
SHA2562d8037a0068a649973085778479d3e408bae62aee721c64df9f4c0476e5d9f4e
SHA51258499571c839355ce3c98e019bb90c4a89b70cbb90660849e950d659a8b81771df912861246157c09b72c872e07a1c431f83e11c8ffdb9f916ff82274e41e266
-
Filesize
230B
MD5ca55c55bac6d95203347d206b308d429
SHA1c93da474a4ffb84aefc3266770fcdcad327dec4c
SHA256159669053a5b16455d63c1f63c42cccc58b6e3ba9a5aae2078d367b9790d77a5
SHA5124c218abfe2b1cf317416ceb52f902dacb03545c690135da8c8d2d246896d2a10139c7bcaf197364db2c8c2acd2b3fe3f1c4018e0235103b01547f0fefab2dfbb
-
Filesize
230B
MD577b202fbab3ebff98b8050ef40f552b3
SHA1914e789fefa9d40fd7fa24c83abbfc85f764bbd3
SHA256d367302667d55e6d9a369a4586343ece74bd56daa00ba295801be73ebf56fe4d
SHA51224451785c6a6a1bebe9959fa3d85d7d0810c35314dd2e4ffebfc949064af2c09f17115e9a338ec35ef89d6110b3c7fe475fb5ada65233c506668074f495479a5
-
Filesize
230B
MD58b90353f65e28667a0d57a884af0184a
SHA16de25c7ab0b8c71cf0823ef82b704603656a2d66
SHA2567a8496cf9d732350f5ef58ddbc0e6f6e4b248910e14e8e2df8d56e53ffbe1792
SHA5124910cc7f5921e624512f996b59e6624e680ca1c760c887e773684d8dfc46fbe4ee40e9ced56471f8378fd920f4d1ebacb612d0a28d5e16bf69cb38471a8fb7a0
-
Filesize
230B
MD5a0726b02bbea4727fa550c4090efcb77
SHA1aa49d33af258a023bb260cbc3ee4b7d15750f874
SHA256b912418bcf3e65a8f009043b1076ed4701cd97bf63291b09b52b20d5f6a20394
SHA512553ed2e93e2c45649378b425c1a827c2c57be4faa6ab88f14f54bd7b0827e1ad581d8c5a9a45f06672ca68e3eba10228b00e387cd98498f197cbd8818717e51b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478