Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
58s -
max time network
68s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24/04/2023, 23:05
Behavioral task
behavioral1
Sample
CLibrary.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral2
Sample
injector.exe
Resource
win10v2004-20230220-en
General
-
Target
injector.exe
-
Size
1.7MB
-
MD5
8cc41b512b7fdf051bff007c253e4043
-
SHA1
0b63191f4f416c41be915a08e2e045e9ba1ce1a0
-
SHA256
9dcfcb7b9dd25f740986fe03702928371903d279dbab6b5d8c7cb7a574f0caca
-
SHA512
3d773346ba5e7a1782934121e66b47d1865c1b82a8260ad2195c28865fb80dbaa325d6483a28c99e7e510a3d0dd4f835742626acea44042e3155d41f71bd93e9
-
SSDEEP
24576:P2G/nvxW3W+0ZddL1uN+9vYzK1pTVklXQ3JcGJdyuC6gFLMRUSIxNhoAJHIqL/hg:PbA3ebJ1uo8IcayuqSIdo0eL1
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\it-IT\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\dwm.exe\", \"C:\\ContainerBrowserdriverSaves\\Idle.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\RuntimeBroker.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\it-IT\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\dwm.exe\", \"C:\\ContainerBrowserdriverSaves\\Idle.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Defender\\backgroundTaskHost.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\it-IT\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\dwm.exe\", \"C:\\ContainerBrowserdriverSaves\\Idle.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Defender\\backgroundTaskHost.exe\", \"C:\\odt\\conhost.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\it-IT\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\dwm.exe\", \"C:\\ContainerBrowserdriverSaves\\Idle.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Defender\\backgroundTaskHost.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Public\\Videos\\conhost.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\StartMenuExperienceHost.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\it-IT\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\dwm.exe\", \"C:\\ContainerBrowserdriverSaves\\Idle.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Defender\\backgroundTaskHost.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Public\\Videos\\conhost.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\it-IT\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\dwm.exe\", \"C:\\ContainerBrowserdriverSaves\\Idle.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Defender\\backgroundTaskHost.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Public\\Videos\\conhost.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\System.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\it-IT\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\dwm.exe\", \"C:\\ContainerBrowserdriverSaves\\Idle.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Defender\\backgroundTaskHost.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Public\\Videos\\conhost.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\System.exe\", \"C:\\Users\\All Users\\Start Menu\\explorer.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\it-IT\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\dwm.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\it-IT\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\dwm.exe\", \"C:\\ContainerBrowserdriverSaves\\Idle.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\it-IT\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\dwm.exe\", \"C:\\ContainerBrowserdriverSaves\\Idle.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Defender\\backgroundTaskHost.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\it-IT\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\dwm.exe\", \"C:\\ContainerBrowserdriverSaves\\Idle.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Defender\\backgroundTaskHost.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Public\\Videos\\conhost.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\Registry.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\it-IT\\unsecapp.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\it-IT\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\dwm.exe\", \"C:\\ContainerBrowserdriverSaves\\Idle.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Defender\\backgroundTaskHost.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\backgroundTaskHost.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\it-IT\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\dwm.exe\", \"C:\\ContainerBrowserdriverSaves\\Idle.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Defender\\backgroundTaskHost.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Public\\Videos\\conhost.exe\"" FontSavessvc.exe -
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3904 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3844 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3892 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3856 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4996 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4812 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4868 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3208 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5084 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4380 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3496 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5004 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4700 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4988 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4104 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4000 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3788 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3192 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 2208 schtasks.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2208 schtasks.exe 78 -
resource yara_rule behavioral2/files/0x0003000000000731-142.dat dcrat behavioral2/files/0x0003000000000731-144.dat dcrat behavioral2/memory/700-145-0x00000000007A0000-0x000000000090A000-memory.dmp dcrat behavioral2/files/0x00040000000162a6-151.dat dcrat behavioral2/files/0x000300000001e7f0-183.dat dcrat behavioral2/files/0x000300000001e7f0-185.dat dcrat behavioral2/files/0x0003000000000731-222.dat dcrat behavioral2/files/0x0003000000000731-226.dat dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation injector.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation injector.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation injector.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation FontSavessvc.exe -
Executes dropped EXE 4 IoCs
pid Process 700 FontSavessvc.exe 3232 services.exe 4708 FontSavessvc.exe 1332 FontSavessvc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Public\\Videos\\conhost.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Multimedia Platform\\System.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Multimedia Platform\\System.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\SendTo\\dwm.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\odt\\conhost.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Public\\Videos\\conhost.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Internet Explorer\\it-IT\\unsecapp.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\ContainerBrowserdriverSaves\\Idle.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Start Menu\\explorer.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\StartMenuExperienceHost.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Start Menu\\explorer.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\RuntimeBroker.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows Defender\\backgroundTaskHost.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\ContainerBrowserdriverSaves\\Idle.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\RuntimeBroker.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\backgroundTaskHost.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\backgroundTaskHost.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\All Users\\Adobe\\Setup\\Registry.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\All Users\\Adobe\\Setup\\Registry.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Internet Explorer\\it-IT\\unsecapp.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows Defender\\backgroundTaskHost.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\odt\\conhost.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\SendTo\\dwm.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\"" FontSavessvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\StartMenuExperienceHost.exe\"" FontSavessvc.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\Windows NT\Accessories\9e8d7a4ca61bd9 FontSavessvc.exe File created C:\Program Files (x86)\Windows Defender\backgroundTaskHost.exe FontSavessvc.exe File created C:\Program Files\Windows NT\Accessories\en-US\backgroundTaskHost.exe FontSavessvc.exe File created C:\Program Files (x86)\Windows Multimedia Platform\55b276f4edf653 FontSavessvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\RuntimeBroker.exe FontSavessvc.exe File opened for modification C:\Program Files\Internet Explorer\it-IT\unsecapp.exe FontSavessvc.exe File created C:\Program Files\Internet Explorer\it-IT\29c1c3cc0f7685 FontSavessvc.exe File created C:\Program Files (x86)\Windows Defender\eddb19405b7ce1 FontSavessvc.exe File created C:\Program Files\Windows NT\Accessories\en-US\eddb19405b7ce1 FontSavessvc.exe File created C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe FontSavessvc.exe File created C:\Program Files\Windows Multimedia Platform\System.exe FontSavessvc.exe File created C:\Program Files\Windows Multimedia Platform\27d1bcfc3c54e0 FontSavessvc.exe File created C:\Program Files\Internet Explorer\it-IT\unsecapp.exe FontSavessvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4104 schtasks.exe 3904 schtasks.exe 3856 schtasks.exe 1928 schtasks.exe 5068 schtasks.exe 3320 schtasks.exe 3788 schtasks.exe 3844 schtasks.exe 4380 schtasks.exe 3064 schtasks.exe 5024 schtasks.exe 1332 schtasks.exe 3372 schtasks.exe 4876 schtasks.exe 4712 schtasks.exe 3208 schtasks.exe 2532 schtasks.exe 5004 schtasks.exe 2704 schtasks.exe 4812 schtasks.exe 2708 schtasks.exe 4988 schtasks.exe 3192 schtasks.exe 2676 schtasks.exe 2688 schtasks.exe 4700 schtasks.exe 4724 schtasks.exe 2564 schtasks.exe 4000 schtasks.exe 1512 schtasks.exe 3892 schtasks.exe 5084 schtasks.exe 2280 schtasks.exe 3496 schtasks.exe 1036 schtasks.exe 2004 schtasks.exe 1612 schtasks.exe 560 schtasks.exe 4868 schtasks.exe 2188 schtasks.exe 4996 schtasks.exe 1208 schtasks.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings injector.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings FontSavessvc.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings injector.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings injector.exe -
Modifies registry key 1 TTPs 3 IoCs
pid Process 2836 reg.exe 4532 reg.exe 5044 reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4204 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 700 FontSavessvc.exe 700 FontSavessvc.exe 700 FontSavessvc.exe 700 FontSavessvc.exe 700 FontSavessvc.exe 3232 services.exe 3232 services.exe 3232 services.exe 3232 services.exe 3232 services.exe 3232 services.exe 3232 services.exe 3232 services.exe 3232 services.exe 3232 services.exe 3232 services.exe 3232 services.exe 3232 services.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 700 FontSavessvc.exe Token: SeDebugPrivilege 3232 services.exe Token: SeDebugPrivilege 4708 FontSavessvc.exe Token: SeDebugPrivilege 1332 FontSavessvc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5084 injector.exe 4556 injector.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2612 wrote to memory of 2592 2612 injector.exe 83 PID 2612 wrote to memory of 2592 2612 injector.exe 83 PID 2612 wrote to memory of 2592 2612 injector.exe 83 PID 2592 wrote to memory of 4340 2592 WScript.exe 85 PID 2592 wrote to memory of 4340 2592 WScript.exe 85 PID 2592 wrote to memory of 4340 2592 WScript.exe 85 PID 4340 wrote to memory of 700 4340 cmd.exe 87 PID 4340 wrote to memory of 700 4340 cmd.exe 87 PID 700 wrote to memory of 3548 700 FontSavessvc.exe 133 PID 700 wrote to memory of 3548 700 FontSavessvc.exe 133 PID 4340 wrote to memory of 2836 4340 cmd.exe 135 PID 4340 wrote to memory of 2836 4340 cmd.exe 135 PID 4340 wrote to memory of 2836 4340 cmd.exe 135 PID 3548 wrote to memory of 4816 3548 cmd.exe 136 PID 3548 wrote to memory of 4816 3548 cmd.exe 136 PID 3548 wrote to memory of 3232 3548 cmd.exe 140 PID 3548 wrote to memory of 3232 3548 cmd.exe 140 PID 5084 wrote to memory of 2708 5084 injector.exe 146 PID 5084 wrote to memory of 2708 5084 injector.exe 146 PID 5084 wrote to memory of 2708 5084 injector.exe 146 PID 4556 wrote to memory of 2252 4556 injector.exe 148 PID 4556 wrote to memory of 2252 4556 injector.exe 148 PID 4556 wrote to memory of 2252 4556 injector.exe 148 PID 2708 wrote to memory of 1916 2708 WScript.exe 149 PID 2708 wrote to memory of 1916 2708 WScript.exe 149 PID 2708 wrote to memory of 1916 2708 WScript.exe 149 PID 1916 wrote to memory of 4708 1916 cmd.exe 151 PID 1916 wrote to memory of 4708 1916 cmd.exe 151 PID 2252 wrote to memory of 456 2252 WScript.exe 152 PID 2252 wrote to memory of 456 2252 WScript.exe 152 PID 2252 wrote to memory of 456 2252 WScript.exe 152 PID 456 wrote to memory of 1332 456 cmd.exe 154 PID 456 wrote to memory of 1332 456 cmd.exe 154 PID 1916 wrote to memory of 4532 1916 cmd.exe 156 PID 1916 wrote to memory of 4532 1916 cmd.exe 156 PID 1916 wrote to memory of 4532 1916 cmd.exe 156 PID 456 wrote to memory of 5044 456 cmd.exe 157 PID 456 wrote to memory of 5044 456 cmd.exe 157 PID 456 wrote to memory of 5044 456 cmd.exe 157 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\injector.exe"C:\Users\Admin\AppData\Local\Temp\injector.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ContainerBrowserdriverSaves\zMf6Snc2vba9Cw6hRBS8.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ContainerBrowserdriverSaves\6OeWR1FXcvG2y.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\ContainerBrowserdriverSaves\FontSavessvc.exe"C:\ContainerBrowserdriverSaves\FontSavessvc.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bQirf86Ys.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4816
-
-
C:\Recovery\WindowsRE\services.exe"C:\Recovery\WindowsRE\services.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2836
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\it-IT\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\it-IT\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\SendTo\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\ContainerBrowserdriverSaves\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ContainerBrowserdriverSaves\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\ContainerBrowserdriverSaves\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\odt\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\en-US\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Videos\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Setup\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Setup\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\injector.exe"C:\Users\Admin\AppData\Local\Temp\injector.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ContainerBrowserdriverSaves\zMf6Snc2vba9Cw6hRBS8.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ContainerBrowserdriverSaves\6OeWR1FXcvG2y.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\ContainerBrowserdriverSaves\FontSavessvc.exe"C:\ContainerBrowserdriverSaves\FontSavessvc.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:4532
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\injector.exe"C:\Users\Admin\AppData\Local\Temp\injector.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ContainerBrowserdriverSaves\zMf6Snc2vba9Cw6hRBS8.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ContainerBrowserdriverSaves\6OeWR1FXcvG2y.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:456 -
C:\ContainerBrowserdriverSaves\FontSavessvc.exe"C:\ContainerBrowserdriverSaves\FontSavessvc.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:5044
-
-
-
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\5bQirf86Ys.bat1⤵
- Opens file in notepad (likely ransom note)
PID:4204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
161B
MD5a0e39917ec26b1a741d886d6f2824323
SHA107f6e5479f17a1af7631f1d2f221b47879612411
SHA256c54a9cc5dcc2f0c2e0e924eb6b86f115d3dda36209d8828dc6e76cbb248030a5
SHA5124d1ddfbe497d17cc29f810f0b45dda822a1caefd2300698d9e99c729d5726070c52820a7ca3fc97e28312d7571fb79c2ce805c25130c1cb49cc7a257616cfc7b
-
Filesize
1.4MB
MD5ec21d29695a307898cece2a430fabe11
SHA1f602caed944dd33a7e9ad432f359bbc5604bf905
SHA256b7feb0e84fd1f65c459c5de912bdfacd2cea2187fec75d376a35a235f7439117
SHA512ad1ac7d1aa58b7950b36f7f84a587cc80fc969f6c10364aed6841913f4b9fee93e2f500a69ab33b6a6d0ba6f59a5e013d3cd757a7be710c891f8261d1da00652
-
Filesize
1.4MB
MD5ec21d29695a307898cece2a430fabe11
SHA1f602caed944dd33a7e9ad432f359bbc5604bf905
SHA256b7feb0e84fd1f65c459c5de912bdfacd2cea2187fec75d376a35a235f7439117
SHA512ad1ac7d1aa58b7950b36f7f84a587cc80fc969f6c10364aed6841913f4b9fee93e2f500a69ab33b6a6d0ba6f59a5e013d3cd757a7be710c891f8261d1da00652
-
Filesize
1.4MB
MD5ec21d29695a307898cece2a430fabe11
SHA1f602caed944dd33a7e9ad432f359bbc5604bf905
SHA256b7feb0e84fd1f65c459c5de912bdfacd2cea2187fec75d376a35a235f7439117
SHA512ad1ac7d1aa58b7950b36f7f84a587cc80fc969f6c10364aed6841913f4b9fee93e2f500a69ab33b6a6d0ba6f59a5e013d3cd757a7be710c891f8261d1da00652
-
Filesize
1.4MB
MD5ec21d29695a307898cece2a430fabe11
SHA1f602caed944dd33a7e9ad432f359bbc5604bf905
SHA256b7feb0e84fd1f65c459c5de912bdfacd2cea2187fec75d376a35a235f7439117
SHA512ad1ac7d1aa58b7950b36f7f84a587cc80fc969f6c10364aed6841913f4b9fee93e2f500a69ab33b6a6d0ba6f59a5e013d3cd757a7be710c891f8261d1da00652
-
Filesize
217B
MD57467f224c084ddefe3942d6c8da511a0
SHA1093de51ae525fdaaac1022b323924b8def49237d
SHA25609182276f0fcae0ac63018850413010fb13a256a49ba1d9726c9badef5db5834
SHA5126ba3d0ec81c4fb80d13fa481dd427673ef7eee747abf1b344d774c956c6ccbb75eddf01cf2b1900b06297fefd2fcdd9ff7015c5fbf3c78688e5aacfa83d2cefc
-
Filesize
1.4MB
MD5ec21d29695a307898cece2a430fabe11
SHA1f602caed944dd33a7e9ad432f359bbc5604bf905
SHA256b7feb0e84fd1f65c459c5de912bdfacd2cea2187fec75d376a35a235f7439117
SHA512ad1ac7d1aa58b7950b36f7f84a587cc80fc969f6c10364aed6841913f4b9fee93e2f500a69ab33b6a6d0ba6f59a5e013d3cd757a7be710c891f8261d1da00652
-
Filesize
1.4MB
MD5ec21d29695a307898cece2a430fabe11
SHA1f602caed944dd33a7e9ad432f359bbc5604bf905
SHA256b7feb0e84fd1f65c459c5de912bdfacd2cea2187fec75d376a35a235f7439117
SHA512ad1ac7d1aa58b7950b36f7f84a587cc80fc969f6c10364aed6841913f4b9fee93e2f500a69ab33b6a6d0ba6f59a5e013d3cd757a7be710c891f8261d1da00652
-
Filesize
1KB
MD5bbb951a34b516b66451218a3ec3b0ae1
SHA17393835a2476ae655916e0a9687eeaba3ee876e9
SHA256eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA51263bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f
-
Filesize
199B
MD58c97eb3c477b1a6af8547ab1213d3a5d
SHA1fa48d5d97d570961e99fca1c0d682d4e036353ff
SHA2567862e8e2869bbee57b9bf496805f13009fa2a7d098bd8536773df2143e7d24aa
SHA512b64b8fc682a5baa4604e8aca56396bbf7966dd39030f80750133d5ea81995c2f3306fd4e30b57c04de2164c41b606f41eef73b6f41d8deffeb5ff6fb8ec83572
-
Filesize
1.4MB
MD5ec21d29695a307898cece2a430fabe11
SHA1f602caed944dd33a7e9ad432f359bbc5604bf905
SHA256b7feb0e84fd1f65c459c5de912bdfacd2cea2187fec75d376a35a235f7439117
SHA512ad1ac7d1aa58b7950b36f7f84a587cc80fc969f6c10364aed6841913f4b9fee93e2f500a69ab33b6a6d0ba6f59a5e013d3cd757a7be710c891f8261d1da00652