Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-06-2023 03:27
Static task
static1
Behavioral task
behavioral1
Sample
a2ea8c0f0b809338bc212b9dce4169c6.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
a2ea8c0f0b809338bc212b9dce4169c6.exe
Resource
win10v2004-20230220-en
General
-
Target
a2ea8c0f0b809338bc212b9dce4169c6.exe
-
Size
1.8MB
-
MD5
a2ea8c0f0b809338bc212b9dce4169c6
-
SHA1
2055d655fdc1da4d9090871b90a12a7d6f749d7d
-
SHA256
7b1c20701d541771b5819005700826712f27970a335dda7cf150e2564802d515
-
SHA512
e6fed299bc4590e94b9ec25c7ba16ee974b738961c8899ff670e7a5c6560361038ad5e970ddd207c90316455363d943a95b8afc5416b8dfcd755fc133f49e60e
-
SSDEEP
24576:26DZpO9y7b5UC4iSiLryeCB7sDmJEtQNUdvnCYjOjO45CT8xBVZHUnc9v8E99JG1:NDDHVHQNM1rcBUczNGHV
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 9 IoCs
Processes:
dllhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Admin\\PrintHood\\winlogon.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\wininit.exe\", \"C:\\Recovery\\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\\services.exe\", \"C:\\Recovery\\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Windows\\L2Schemas\\wininit.exe\"" dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Admin\\PrintHood\\winlogon.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\"" dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Admin\\PrintHood\\winlogon.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\wininit.exe\", \"C:\\Recovery\\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\\services.exe\"" dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Admin\\PrintHood\\winlogon.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\wininit.exe\", \"C:\\Recovery\\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\\services.exe\", \"C:\\Recovery\\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\\taskhost.exe\"" dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Admin\\PrintHood\\winlogon.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\wininit.exe\", \"C:\\Recovery\\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\\services.exe\", \"C:\\Recovery\\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\cmd.exe\"" dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\"" dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Admin\\PrintHood\\winlogon.exe\"" dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Admin\\PrintHood\\winlogon.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\wininit.exe\"" dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Admin\\PrintHood\\winlogon.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\wininit.exe\", \"C:\\Recovery\\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\\services.exe\", \"C:\\Recovery\\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Windows\\L2Schemas\\wininit.exe\", \"C:\\Users\\Public\\Favorites\\spoolsv.exe\"" dllhost.exe -
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 612 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 328 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 268 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1176 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 1988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 1988 schtasks.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Jjaxjjjbnfhspjlmroqdcratbuild (4).exe dcrat C:\Users\Admin\AppData\Local\Temp\Jjaxjjjbnfhspjlmroqdcratbuild (4).exe dcrat C:\Users\Admin\AppData\Local\Temp\Jjaxjjjbnfhspjlmroqdcratbuild (4).exe dcrat behavioral1/memory/1164-68-0x0000000000400000-0x0000000000456000-memory.dmp dcrat behavioral1/memory/1164-69-0x0000000000400000-0x0000000000456000-memory.dmp dcrat behavioral1/memory/1164-71-0x0000000000400000-0x0000000000456000-memory.dmp dcrat behavioral1/memory/1164-73-0x0000000000400000-0x0000000000456000-memory.dmp dcrat behavioral1/memory/1164-75-0x0000000000400000-0x0000000000456000-memory.dmp dcrat \Users\Admin\AppData\Roaming\Adobe\dllhost.exe dcrat C:\Users\Admin\AppData\Roaming\Adobe\dllhost.exe dcrat C:\Users\Admin\AppData\Roaming\Adobe\dllhost.exe dcrat \Users\Admin\AppData\Roaming\Adobe\dllhost.exe dcrat behavioral1/memory/1804-90-0x0000000000810000-0x0000000000866000-memory.dmp dcrat behavioral1/memory/1804-91-0x000000001AF60000-0x000000001AFE0000-memory.dmp dcrat C:\Program Files\Windows Portable Devices\lsass.exe dcrat C:\Users\Default\csrss.exe dcrat C:\Users\Default User\csrss.exe dcrat behavioral1/memory/1592-116-0x0000000000DC0000-0x0000000000E16000-memory.dmp dcrat behavioral1/memory/1592-117-0x0000000002290000-0x0000000002310000-memory.dmp dcrat -
Executes dropped EXE 3 IoCs
Processes:
Jjaxjjjbnfhspjlmroqdcratbuild (4).exedllhost.execsrss.exepid process 792 Jjaxjjjbnfhspjlmroqdcratbuild (4).exe 1804 dllhost.exe 1592 csrss.exe -
Loads dropped DLL 3 IoCs
Processes:
a2ea8c0f0b809338bc212b9dce4169c6.execmd.exepid process 844 a2ea8c0f0b809338bc212b9dce4169c6.exe 1972 cmd.exe 1972 cmd.exe -
Adds Run key to start application 2 TTPs 18 IoCs
Processes:
dllhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\PrintHood\\winlogon.exe\"" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Portable Devices\\lsass.exe\"" dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Portable Devices\\lsass.exe\"" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\\services.exe\"" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\cmd.exe\"" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\L2Schemas\\wininit.exe\"" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\"" dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\"" dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Reference Assemblies\\wininit.exe\"" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\\taskhost.exe\"" dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\L2Schemas\\wininit.exe\"" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\PrintHood\\winlogon.exe\"" dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\cmd.exe\"" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Reference Assemblies\\wininit.exe\"" dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\\services.exe\"" dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\\taskhost.exe\"" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Public\\Favorites\\spoolsv.exe\"" dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Public\\Favorites\\spoolsv.exe\"" dllhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a2ea8c0f0b809338bc212b9dce4169c6.exedescription pid process target process PID 844 set thread context of 1164 844 a2ea8c0f0b809338bc212b9dce4169c6.exe a2ea8c0f0b809338bc212b9dce4169c6.exe -
Drops file in Program Files directory 4 IoCs
Processes:
dllhost.exedescription ioc process File created C:\Program Files\Windows Portable Devices\lsass.exe dllhost.exe File created C:\Program Files\Windows Portable Devices\6203df4a6bafc7 dllhost.exe File created C:\Program Files (x86)\Reference Assemblies\wininit.exe dllhost.exe File created C:\Program Files (x86)\Reference Assemblies\56085415360792 dllhost.exe -
Drops file in Windows directory 2 IoCs
Processes:
dllhost.exedescription ioc process File created C:\Windows\L2Schemas\wininit.exe dllhost.exe File created C:\Windows\L2Schemas\56085415360792 dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1740 schtasks.exe 268 schtasks.exe 1528 schtasks.exe 2044 schtasks.exe 684 schtasks.exe 612 schtasks.exe 1592 schtasks.exe 1640 schtasks.exe 328 schtasks.exe 568 schtasks.exe 560 schtasks.exe 1820 schtasks.exe 1404 schtasks.exe 2000 schtasks.exe 1756 schtasks.exe 948 schtasks.exe 1484 schtasks.exe 1460 schtasks.exe 1168 schtasks.exe 1176 schtasks.exe 876 schtasks.exe 1088 schtasks.exe 1796 schtasks.exe 1676 schtasks.exe 884 schtasks.exe 1212 schtasks.exe 1332 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
a2ea8c0f0b809338bc212b9dce4169c6.exedllhost.exepid process 1164 a2ea8c0f0b809338bc212b9dce4169c6.exe 1804 dllhost.exe 1164 a2ea8c0f0b809338bc212b9dce4169c6.exe 1164 a2ea8c0f0b809338bc212b9dce4169c6.exe 1164 a2ea8c0f0b809338bc212b9dce4169c6.exe 1164 a2ea8c0f0b809338bc212b9dce4169c6.exe 1164 a2ea8c0f0b809338bc212b9dce4169c6.exe 1164 a2ea8c0f0b809338bc212b9dce4169c6.exe 1164 a2ea8c0f0b809338bc212b9dce4169c6.exe 1164 a2ea8c0f0b809338bc212b9dce4169c6.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
a2ea8c0f0b809338bc212b9dce4169c6.exea2ea8c0f0b809338bc212b9dce4169c6.exedllhost.execsrss.exedescription pid process Token: SeDebugPrivilege 844 a2ea8c0f0b809338bc212b9dce4169c6.exe Token: SeDebugPrivilege 1164 a2ea8c0f0b809338bc212b9dce4169c6.exe Token: SeDebugPrivilege 1804 dllhost.exe Token: SeDebugPrivilege 1592 csrss.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
a2ea8c0f0b809338bc212b9dce4169c6.exeJjaxjjjbnfhspjlmroqdcratbuild (4).exeWScript.execmd.exedllhost.exedescription pid process target process PID 844 wrote to memory of 792 844 a2ea8c0f0b809338bc212b9dce4169c6.exe Jjaxjjjbnfhspjlmroqdcratbuild (4).exe PID 844 wrote to memory of 792 844 a2ea8c0f0b809338bc212b9dce4169c6.exe Jjaxjjjbnfhspjlmroqdcratbuild (4).exe PID 844 wrote to memory of 792 844 a2ea8c0f0b809338bc212b9dce4169c6.exe Jjaxjjjbnfhspjlmroqdcratbuild (4).exe PID 844 wrote to memory of 792 844 a2ea8c0f0b809338bc212b9dce4169c6.exe Jjaxjjjbnfhspjlmroqdcratbuild (4).exe PID 844 wrote to memory of 1164 844 a2ea8c0f0b809338bc212b9dce4169c6.exe a2ea8c0f0b809338bc212b9dce4169c6.exe PID 844 wrote to memory of 1164 844 a2ea8c0f0b809338bc212b9dce4169c6.exe a2ea8c0f0b809338bc212b9dce4169c6.exe PID 844 wrote to memory of 1164 844 a2ea8c0f0b809338bc212b9dce4169c6.exe a2ea8c0f0b809338bc212b9dce4169c6.exe PID 844 wrote to memory of 1164 844 a2ea8c0f0b809338bc212b9dce4169c6.exe a2ea8c0f0b809338bc212b9dce4169c6.exe PID 844 wrote to memory of 1164 844 a2ea8c0f0b809338bc212b9dce4169c6.exe a2ea8c0f0b809338bc212b9dce4169c6.exe PID 844 wrote to memory of 1164 844 a2ea8c0f0b809338bc212b9dce4169c6.exe a2ea8c0f0b809338bc212b9dce4169c6.exe PID 844 wrote to memory of 1164 844 a2ea8c0f0b809338bc212b9dce4169c6.exe a2ea8c0f0b809338bc212b9dce4169c6.exe PID 844 wrote to memory of 1164 844 a2ea8c0f0b809338bc212b9dce4169c6.exe a2ea8c0f0b809338bc212b9dce4169c6.exe PID 844 wrote to memory of 1164 844 a2ea8c0f0b809338bc212b9dce4169c6.exe a2ea8c0f0b809338bc212b9dce4169c6.exe PID 792 wrote to memory of 2044 792 Jjaxjjjbnfhspjlmroqdcratbuild (4).exe WScript.exe PID 792 wrote to memory of 2044 792 Jjaxjjjbnfhspjlmroqdcratbuild (4).exe WScript.exe PID 792 wrote to memory of 2044 792 Jjaxjjjbnfhspjlmroqdcratbuild (4).exe WScript.exe PID 792 wrote to memory of 2044 792 Jjaxjjjbnfhspjlmroqdcratbuild (4).exe WScript.exe PID 2044 wrote to memory of 1972 2044 WScript.exe cmd.exe PID 2044 wrote to memory of 1972 2044 WScript.exe cmd.exe PID 2044 wrote to memory of 1972 2044 WScript.exe cmd.exe PID 2044 wrote to memory of 1972 2044 WScript.exe cmd.exe PID 1972 wrote to memory of 1804 1972 cmd.exe dllhost.exe PID 1972 wrote to memory of 1804 1972 cmd.exe dllhost.exe PID 1972 wrote to memory of 1804 1972 cmd.exe dllhost.exe PID 1972 wrote to memory of 1804 1972 cmd.exe dllhost.exe PID 1804 wrote to memory of 1592 1804 dllhost.exe csrss.exe PID 1804 wrote to memory of 1592 1804 dllhost.exe csrss.exe PID 1804 wrote to memory of 1592 1804 dllhost.exe csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2ea8c0f0b809338bc212b9dce4169c6.exe"C:\Users\Admin\AppData\Local\Temp\a2ea8c0f0b809338bc212b9dce4169c6.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Jjaxjjjbnfhspjlmroqdcratbuild (4).exe"C:\Users\Admin\AppData\Local\Temp\Jjaxjjjbnfhspjlmroqdcratbuild (4).exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\52gkn9uQF.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\yejrXrInbKlCAF.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Adobe\dllhost.exe"C:\Users\Admin\AppData\Roaming\\Adobe\dllhost.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a2ea8c0f0b809338bc212b9dce4169c6.exeC:\Users\Admin\AppData\Local\Temp\a2ea8c0f0b809338bc212b9dce4169c6.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\PrintHood\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows Portable Devices\lsass.exeFilesize
315KB
MD53d4f1aeaa622ea7e8b48ee771fcdd7a8
SHA172fc8a599685a0c8c65cebd5082e8f430ca150f8
SHA2568174f504f7182aadc73523cea6ecd0c3ad4710d3d42d5021d9bb6f0891886cb6
SHA512b714e3b35d2e00de506ca0a37d00f20efd9ddce199f5824450e0f35b969432aa0b35f03873d0094dad286d38a5bffbd869e6f4e336ce7e04e06e2516c8f004b8
-
C:\Users\Admin\AppData\Local\Temp\Jjaxjjjbnfhspjlmroqdcratbuild (4).exeFilesize
625KB
MD59d9b928d96d953d897a2188a966b80ff
SHA131a78db2671a87af5ead30b11229f62854189cd0
SHA25604228c9adeaa607dd537c69a15e2a176c85b731856a0243ae92c0d70c35c00c1
SHA512ae73d3345b626f0e48edf7a6a666bd16a6bd617a28c61acdb1e4a247084642462b5e393c26cbc7a2e009ecc1a85c46281051e4c6262f62fec0f5a81e1cfcdc65
-
C:\Users\Admin\AppData\Local\Temp\Jjaxjjjbnfhspjlmroqdcratbuild (4).exeFilesize
625KB
MD59d9b928d96d953d897a2188a966b80ff
SHA131a78db2671a87af5ead30b11229f62854189cd0
SHA25604228c9adeaa607dd537c69a15e2a176c85b731856a0243ae92c0d70c35c00c1
SHA512ae73d3345b626f0e48edf7a6a666bd16a6bd617a28c61acdb1e4a247084642462b5e393c26cbc7a2e009ecc1a85c46281051e4c6262f62fec0f5a81e1cfcdc65
-
C:\Users\Admin\AppData\Roaming\Adobe\52gkn9uQF.vbeFilesize
205B
MD5241811b50c4ce030ecd48ebd49cd4a98
SHA14187db39f29719cb76395fb6d9ea2db872ac21bd
SHA256d8835725b67daf4d34a4f49d8cdf3e6f5ca091372a38044960d3117248bae032
SHA5129d4db48d1b2c2cdb079cdcd618da3edbba85c984f25f23d8cfdf9be0091b945c29b0e895530f6b292fd825a6023bc357716ffbf9cabb62997a6709a1e6f2c707
-
C:\Users\Admin\AppData\Roaming\Adobe\dllhost.exeFilesize
315KB
MD53d4f1aeaa622ea7e8b48ee771fcdd7a8
SHA172fc8a599685a0c8c65cebd5082e8f430ca150f8
SHA2568174f504f7182aadc73523cea6ecd0c3ad4710d3d42d5021d9bb6f0891886cb6
SHA512b714e3b35d2e00de506ca0a37d00f20efd9ddce199f5824450e0f35b969432aa0b35f03873d0094dad286d38a5bffbd869e6f4e336ce7e04e06e2516c8f004b8
-
C:\Users\Admin\AppData\Roaming\Adobe\dllhost.exeFilesize
315KB
MD53d4f1aeaa622ea7e8b48ee771fcdd7a8
SHA172fc8a599685a0c8c65cebd5082e8f430ca150f8
SHA2568174f504f7182aadc73523cea6ecd0c3ad4710d3d42d5021d9bb6f0891886cb6
SHA512b714e3b35d2e00de506ca0a37d00f20efd9ddce199f5824450e0f35b969432aa0b35f03873d0094dad286d38a5bffbd869e6f4e336ce7e04e06e2516c8f004b8
-
C:\Users\Admin\AppData\Roaming\Adobe\yejrXrInbKlCAF.batFilesize
30B
MD58a2510fd7b4b55da07578e53e62df857
SHA1c2a3092371375e47e1d80531b09a5552faa9156c
SHA25647eab317103b819eebe671607203c05d3bdf2531323515122a233f34099eb8f3
SHA512573d8fed7c15abf74ada2c08f0a649167a1cdf57431e8d111de8ddb41eec88acee38cf869ef895dc9116bc49902b47815a4dde76935a5b02d67911470254a572
-
C:\Users\Default User\csrss.exeFilesize
315KB
MD53d4f1aeaa622ea7e8b48ee771fcdd7a8
SHA172fc8a599685a0c8c65cebd5082e8f430ca150f8
SHA2568174f504f7182aadc73523cea6ecd0c3ad4710d3d42d5021d9bb6f0891886cb6
SHA512b714e3b35d2e00de506ca0a37d00f20efd9ddce199f5824450e0f35b969432aa0b35f03873d0094dad286d38a5bffbd869e6f4e336ce7e04e06e2516c8f004b8
-
C:\Users\Default\csrss.exeFilesize
315KB
MD53d4f1aeaa622ea7e8b48ee771fcdd7a8
SHA172fc8a599685a0c8c65cebd5082e8f430ca150f8
SHA2568174f504f7182aadc73523cea6ecd0c3ad4710d3d42d5021d9bb6f0891886cb6
SHA512b714e3b35d2e00de506ca0a37d00f20efd9ddce199f5824450e0f35b969432aa0b35f03873d0094dad286d38a5bffbd869e6f4e336ce7e04e06e2516c8f004b8
-
\Users\Admin\AppData\Local\Temp\Jjaxjjjbnfhspjlmroqdcratbuild (4).exeFilesize
625KB
MD59d9b928d96d953d897a2188a966b80ff
SHA131a78db2671a87af5ead30b11229f62854189cd0
SHA25604228c9adeaa607dd537c69a15e2a176c85b731856a0243ae92c0d70c35c00c1
SHA512ae73d3345b626f0e48edf7a6a666bd16a6bd617a28c61acdb1e4a247084642462b5e393c26cbc7a2e009ecc1a85c46281051e4c6262f62fec0f5a81e1cfcdc65
-
\Users\Admin\AppData\Roaming\Adobe\dllhost.exeFilesize
315KB
MD53d4f1aeaa622ea7e8b48ee771fcdd7a8
SHA172fc8a599685a0c8c65cebd5082e8f430ca150f8
SHA2568174f504f7182aadc73523cea6ecd0c3ad4710d3d42d5021d9bb6f0891886cb6
SHA512b714e3b35d2e00de506ca0a37d00f20efd9ddce199f5824450e0f35b969432aa0b35f03873d0094dad286d38a5bffbd869e6f4e336ce7e04e06e2516c8f004b8
-
\Users\Admin\AppData\Roaming\Adobe\dllhost.exeFilesize
315KB
MD53d4f1aeaa622ea7e8b48ee771fcdd7a8
SHA172fc8a599685a0c8c65cebd5082e8f430ca150f8
SHA2568174f504f7182aadc73523cea6ecd0c3ad4710d3d42d5021d9bb6f0891886cb6
SHA512b714e3b35d2e00de506ca0a37d00f20efd9ddce199f5824450e0f35b969432aa0b35f03873d0094dad286d38a5bffbd869e6f4e336ce7e04e06e2516c8f004b8
-
memory/844-58-0x0000000005030000-0x00000000050C2000-memory.dmpFilesize
584KB
-
memory/844-55-0x0000000004FF0000-0x0000000005030000-memory.dmpFilesize
256KB
-
memory/844-54-0x0000000001040000-0x000000000120E000-memory.dmpFilesize
1.8MB
-
memory/844-56-0x00000000054E0000-0x000000000563A000-memory.dmpFilesize
1.4MB
-
memory/844-57-0x0000000004F20000-0x0000000004F98000-memory.dmpFilesize
480KB
-
memory/1164-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1164-66-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1164-75-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1164-73-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1164-71-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1164-69-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1164-118-0x0000000000460000-0x00000000004A0000-memory.dmpFilesize
256KB
-
memory/1164-84-0x0000000000460000-0x00000000004A0000-memory.dmpFilesize
256KB
-
memory/1164-68-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1164-67-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1592-116-0x0000000000DC0000-0x0000000000E16000-memory.dmpFilesize
344KB
-
memory/1592-117-0x0000000002290000-0x0000000002310000-memory.dmpFilesize
512KB
-
memory/1804-91-0x000000001AF60000-0x000000001AFE0000-memory.dmpFilesize
512KB
-
memory/1804-90-0x0000000000810000-0x0000000000866000-memory.dmpFilesize
344KB