Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
18/11/2023, 01:07
Behavioral task
behavioral1
Sample
NEAS.01a66ce702b81396f987e22d5c5513a0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.01a66ce702b81396f987e22d5c5513a0.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.01a66ce702b81396f987e22d5c5513a0.exe
-
Size
783KB
-
MD5
01a66ce702b81396f987e22d5c5513a0
-
SHA1
007e52fa1766724d21a7305fe0f0209fb67c8fc8
-
SHA256
b08756ce1a131b1b6037549e8133e5e0d85e4eccd3ca97242dfe9827138e0c67
-
SHA512
a70a72d2b5f7ac3e8d08c43577257c913c054017f0c44e4bfceb308005693cfc457a7dd29d72878546f4ab8ba58b2a24632718c37e336613e18f74cda3497f16
-
SSDEEP
12288:mqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK:m+OQbpbgsFdAyQvzSqaq8q
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 1672 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 1672 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 1672 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 1672 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 1672 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 1672 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 1672 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 1672 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 1672 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 1672 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 1672 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 1672 schtasks.exe 28 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe -
resource yara_rule behavioral1/memory/1100-0-0x0000000000160000-0x000000000022A000-memory.dmp dcrat behavioral1/files/0x0006000000016d0a-32.dat dcrat behavioral1/files/0x0007000000016d77-85.dat dcrat behavioral1/files/0x0008000000016455-86.dat dcrat behavioral1/files/0x000500000001873d-130.dat dcrat behavioral1/files/0x000500000001873d-131.dat dcrat behavioral1/memory/1260-133-0x0000000001170000-0x000000000123A000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
pid Process 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1260 WmiPrvSE.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\include\\wininit.exe\"" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NEAS.01a66ce702b81396f987e22d5c5513a0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistUI5C30\\NEAS.01a66ce702b81396f987e22d5c5513a0.exe\"" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\msfeeds\\winlogon.exe\"" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Documents and Settings\\WmiPrvSE.exe\"" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\odbccu32\\dwm.exe\"" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\d10510a2-6fc3-11ee-bc6f-a02387f916ed\\explorer.exe\"" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Documents and Settings\\Idle.exe\"" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\bin\\csrss.exe\"" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\pdh\\services.exe\"" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\"" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PerfLogs\\Admin\\services.exe\"" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\PerfLogs\\Admin\\audiodg.exe\"" NEAS.01a66ce702b81396f987e22d5c5513a0.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\System32\odbccu32\dwm.exe NEAS.01a66ce702b81396f987e22d5c5513a0.exe File opened for modification C:\Windows\System32\odbccu32\dwm.exe NEAS.01a66ce702b81396f987e22d5c5513a0.exe File created C:\Windows\System32\pdh\services.exe NEAS.01a66ce702b81396f987e22d5c5513a0.exe File opened for modification C:\Windows\System32\msfeeds\winlogon.exe NEAS.01a66ce702b81396f987e22d5c5513a0.exe File created C:\Windows\System32\odbccu32\6cb0b6c459d5d3455a3da700e713f2e2529862ff NEAS.01a66ce702b81396f987e22d5c5513a0.exe File opened for modification C:\Windows\System32\odbccu32\RCX97CE.tmp NEAS.01a66ce702b81396f987e22d5c5513a0.exe File opened for modification C:\Windows\System32\pdh\services.exe NEAS.01a66ce702b81396f987e22d5c5513a0.exe File created C:\Windows\System32\pdh\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d NEAS.01a66ce702b81396f987e22d5c5513a0.exe File created C:\Windows\System32\msfeeds\winlogon.exe NEAS.01a66ce702b81396f987e22d5c5513a0.exe File created C:\Windows\System32\msfeeds\cc11b995f2a76da408ea6a601e682e64743153ad NEAS.01a66ce702b81396f987e22d5c5513a0.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\csrss.exe NEAS.01a66ce702b81396f987e22d5c5513a0.exe File created C:\Program Files\Java\jdk1.7.0_80\include\wininit.exe NEAS.01a66ce702b81396f987e22d5c5513a0.exe File created C:\Program Files\Java\jdk1.7.0_80\include\560854153607923c4c5f107085a7db67be01f252 NEAS.01a66ce702b81396f987e22d5c5513a0.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\csrss.exe NEAS.01a66ce702b81396f987e22d5c5513a0.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\886983d96e3d3e31032c679b2d4ea91b6c05afef NEAS.01a66ce702b81396f987e22d5c5513a0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\RCX9DF8.tmp NEAS.01a66ce702b81396f987e22d5c5513a0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\wininit.exe NEAS.01a66ce702b81396f987e22d5c5513a0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCX9FFC.tmp NEAS.01a66ce702b81396f987e22d5c5513a0.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Boot\PCAT\el-GR\sppsvc.exe NEAS.01a66ce702b81396f987e22d5c5513a0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2864 schtasks.exe 2740 schtasks.exe 2260 schtasks.exe 1368 schtasks.exe 772 schtasks.exe 2144 schtasks.exe 2528 schtasks.exe 2100 schtasks.exe 1296 schtasks.exe 2568 schtasks.exe 2416 schtasks.exe 2200 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 WmiPrvSE.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 WmiPrvSE.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 WmiPrvSE.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 WmiPrvSE.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 WmiPrvSE.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 WmiPrvSE.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 1260 WmiPrvSE.exe 1260 WmiPrvSE.exe 1260 WmiPrvSE.exe 1260 WmiPrvSE.exe 1260 WmiPrvSE.exe 1260 WmiPrvSE.exe 1260 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe Token: SeDebugPrivilege 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe Token: SeDebugPrivilege 1260 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1100 wrote to memory of 1120 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 34 PID 1100 wrote to memory of 1120 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 34 PID 1100 wrote to memory of 1120 1100 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 34 PID 1120 wrote to memory of 1136 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 42 PID 1120 wrote to memory of 1136 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 42 PID 1120 wrote to memory of 1136 1120 NEAS.01a66ce702b81396f987e22d5c5513a0.exe 42 PID 1136 wrote to memory of 1548 1136 cmd.exe 44 PID 1136 wrote to memory of 1548 1136 cmd.exe 44 PID 1136 wrote to memory of 1548 1136 cmd.exe 44 PID 1136 wrote to memory of 1260 1136 cmd.exe 45 PID 1136 wrote to memory of 1260 1136 cmd.exe 45 PID 1136 wrote to memory of 1260 1136 cmd.exe 45 -
System policy modification 1 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.01a66ce702b81396f987e22d5c5513a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.01a66ce702b81396f987e22d5c5513a0.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe"1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.01a66ce702b81396f987e22d5c5513a0.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BeXS80QdQo.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵PID:1548
-
-
C:\Documents and Settings\WmiPrvSE.exe"C:\Documents and Settings\WmiPrvSE.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1260
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\odbccu32\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\include\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\pdh\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "NEAS.01a66ce702b81396f987e22d5c5513a0" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI5C30\NEAS.01a66ce702b81396f987e22d5c5513a0.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\PerfLogs\Admin\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\PerfLogs\Admin\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\msfeeds\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
783KB
MD501a66ce702b81396f987e22d5c5513a0
SHA1007e52fa1766724d21a7305fe0f0209fb67c8fc8
SHA256b08756ce1a131b1b6037549e8133e5e0d85e4eccd3ca97242dfe9827138e0c67
SHA512a70a72d2b5f7ac3e8d08c43577257c913c054017f0c44e4bfceb308005693cfc457a7dd29d72878546f4ab8ba58b2a24632718c37e336613e18f74cda3497f16
-
Filesize
783KB
MD501a66ce702b81396f987e22d5c5513a0
SHA1007e52fa1766724d21a7305fe0f0209fb67c8fc8
SHA256b08756ce1a131b1b6037549e8133e5e0d85e4eccd3ca97242dfe9827138e0c67
SHA512a70a72d2b5f7ac3e8d08c43577257c913c054017f0c44e4bfceb308005693cfc457a7dd29d72878546f4ab8ba58b2a24632718c37e336613e18f74cda3497f16
-
Filesize
783KB
MD50cf392f9ea23f40771d947fb9110ef83
SHA1ce31df425826ee48678c1f486b6fa0630777e6f6
SHA2560e750fc57f7bf6e9beb28cda4cb0dc9061bcd0ee05fcc4bf5f3e27aaf88fa73f
SHA5123caefa3730f4ad652c86ffb73609978d6d0f0174fd8b17beda045164438fd30ca2858147d3b54d7af330ffe937f5ee8e88b1bce6b8571c01ced1d2776aeee5c5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c613fdfb9df8f3675b742ebd92f7d6de
SHA1662a6d81346e9fc92cd5f63fd12b4c5b3fb5db19
SHA256988687a708dce151029a14fafa1883848db53e2b57b87169cccba3a44d94507e
SHA512e86a15799acead92c34adf374c6e4f5b0a415442a814c7d5cfb0de58e3af30aee866ebd0a041072f774c5bd527b8324dd49f701d970bfe001f87c22cdd0e4746
-
Filesize
202B
MD551d9abcacda6f2a709ba74a80aefb282
SHA16c079cb3983192ab4d88457d641570e093ebd2d1
SHA2566fbba04f76dbb9ea740c4a2968ffc71ff0f95f3073330310e7c02bb537eb9d75
SHA51291ff77fbb97e98c33fcae72b7394a81916dc97cf8453b80b4195e2f5ad684f689b06dc576ae5620341aa585250ccac3b5d5c9a9e9e60bd33b045cd4e18c56a06
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
783KB
MD501a66ce702b81396f987e22d5c5513a0
SHA1007e52fa1766724d21a7305fe0f0209fb67c8fc8
SHA256b08756ce1a131b1b6037549e8133e5e0d85e4eccd3ca97242dfe9827138e0c67
SHA512a70a72d2b5f7ac3e8d08c43577257c913c054017f0c44e4bfceb308005693cfc457a7dd29d72878546f4ab8ba58b2a24632718c37e336613e18f74cda3497f16
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
783KB
MD501a66ce702b81396f987e22d5c5513a0
SHA1007e52fa1766724d21a7305fe0f0209fb67c8fc8
SHA256b08756ce1a131b1b6037549e8133e5e0d85e4eccd3ca97242dfe9827138e0c67
SHA512a70a72d2b5f7ac3e8d08c43577257c913c054017f0c44e4bfceb308005693cfc457a7dd29d72878546f4ab8ba58b2a24632718c37e336613e18f74cda3497f16