Analysis
-
max time kernel
165s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2023, 04:49
Behavioral task
behavioral1
Sample
NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe
-
Size
1.4MB
-
MD5
54df88c3e72b8d4229f6bf6adabef9e0
-
SHA1
c2c6ff9f9677cdeb3c88e81d97317977ca87e56e
-
SHA256
12bcaa224d590750b33a90651d922fee72babd1d4f425ecb5f072f1679af21d5
-
SHA512
9c347e096251b7de0562633aaf0b36cb54e83c4ad3bac70fb77ed5c215034ba96674a23f0d532c318479f839e9320a1f5b75aa387371873edca3a3fecc22034d
-
SSDEEP
24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4444 2516 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 2516 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 2516 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4204 2516 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4136 2516 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 2516 schtasks.exe 89 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe -
resource yara_rule behavioral2/memory/3596-0-0x00000000006A0000-0x000000000080C000-memory.dmp dcrat behavioral2/files/0x0006000000022de0-46.dat dcrat behavioral2/files/0x0006000000022de0-259.dat dcrat behavioral2/files/0x0006000000022de0-260.dat dcrat behavioral2/files/0x0006000000022de0-333.dat dcrat behavioral2/files/0x0007000000022df9-339.dat dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation csrss.exe -
Executes dropped EXE 2 IoCs
pid Process 5736 csrss.exe 5664 csrss.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\de-DE\SppExtComObj.exe NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe File created C:\Windows\de-DE\SppExtComObj.exe NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe File created C:\Windows\de-DE\e1ef82546f0b02 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe File opened for modification C:\Windows\de-DE\RCX950B.tmp NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe File opened for modification C:\Windows\de-DE\RCX9CBD.tmp NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4444 schtasks.exe 4092 schtasks.exe 1108 schtasks.exe 4204 schtasks.exe 4136 schtasks.exe 4788 schtasks.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\Local Settings csrss.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe Token: SeDebugPrivilege 4756 powershell.exe Token: SeDebugPrivilege 4880 powershell.exe Token: SeDebugPrivilege 3512 powershell.exe Token: SeDebugPrivilege 8 powershell.exe Token: SeDebugPrivilege 1372 powershell.exe Token: SeDebugPrivilege 3108 powershell.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeDebugPrivilege 4832 powershell.exe Token: SeDebugPrivilege 488 powershell.exe Token: SeDebugPrivilege 5076 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 5736 csrss.exe Token: SeDebugPrivilege 5664 csrss.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3596 wrote to memory of 2172 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 100 PID 3596 wrote to memory of 2172 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 100 PID 3596 wrote to memory of 4832 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 99 PID 3596 wrote to memory of 4832 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 99 PID 3596 wrote to memory of 8 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 101 PID 3596 wrote to memory of 8 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 101 PID 3596 wrote to memory of 4880 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 102 PID 3596 wrote to memory of 4880 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 102 PID 3596 wrote to memory of 3512 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 103 PID 3596 wrote to memory of 3512 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 103 PID 3596 wrote to memory of 3108 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 104 PID 3596 wrote to memory of 3108 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 104 PID 3596 wrote to memory of 3976 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 105 PID 3596 wrote to memory of 3976 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 105 PID 3596 wrote to memory of 1744 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 106 PID 3596 wrote to memory of 1744 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 106 PID 3596 wrote to memory of 5076 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 122 PID 3596 wrote to memory of 5076 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 122 PID 3596 wrote to memory of 4756 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 121 PID 3596 wrote to memory of 4756 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 121 PID 3596 wrote to memory of 488 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 120 PID 3596 wrote to memory of 488 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 120 PID 3596 wrote to memory of 1372 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 119 PID 3596 wrote to memory of 1372 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 119 PID 3596 wrote to memory of 5736 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 123 PID 3596 wrote to memory of 5736 3596 NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe 123 PID 5736 wrote to memory of 5156 5736 csrss.exe 129 PID 5736 wrote to memory of 5156 5736 csrss.exe 129 PID 5736 wrote to memory of 5220 5736 csrss.exe 130 PID 5736 wrote to memory of 5220 5736 csrss.exe 130 PID 5156 wrote to memory of 5664 5156 WScript.exe 139 PID 5156 wrote to memory of 5664 5156 WScript.exe 139 PID 5664 wrote to memory of 3532 5664 csrss.exe 140 PID 5664 wrote to memory of 3532 5664 csrss.exe 140 PID 5664 wrote to memory of 5584 5664 csrss.exe 141 PID 5664 wrote to memory of 5584 5664 csrss.exe 141 -
System policy modification 1 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5736 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d8bcf71-f23d-4479-9ac7-b92664fc1657.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:5156 -
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5664 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\279a4862-757c-452d-aa5b-3eb7074d611a.vbs"5⤵PID:3532
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83239a2d-94d9-466e-8e24-929a88e27bba.vbs"5⤵PID:5584
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c81cdece-bd16-43c6-8ba7-2acc0a76a7c6.vbs"3⤵PID:5220
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD554df88c3e72b8d4229f6bf6adabef9e0
SHA1c2c6ff9f9677cdeb3c88e81d97317977ca87e56e
SHA25612bcaa224d590750b33a90651d922fee72babd1d4f425ecb5f072f1679af21d5
SHA5129c347e096251b7de0562633aaf0b36cb54e83c4ad3bac70fb77ed5c215034ba96674a23f0d532c318479f839e9320a1f5b75aa387371873edca3a3fecc22034d
-
Filesize
1.4MB
MD554df88c3e72b8d4229f6bf6adabef9e0
SHA1c2c6ff9f9677cdeb3c88e81d97317977ca87e56e
SHA25612bcaa224d590750b33a90651d922fee72babd1d4f425ecb5f072f1679af21d5
SHA5129c347e096251b7de0562633aaf0b36cb54e83c4ad3bac70fb77ed5c215034ba96674a23f0d532c318479f839e9320a1f5b75aa387371873edca3a3fecc22034d
-
Filesize
1.4MB
MD554df88c3e72b8d4229f6bf6adabef9e0
SHA1c2c6ff9f9677cdeb3c88e81d97317977ca87e56e
SHA25612bcaa224d590750b33a90651d922fee72babd1d4f425ecb5f072f1679af21d5
SHA5129c347e096251b7de0562633aaf0b36cb54e83c4ad3bac70fb77ed5c215034ba96674a23f0d532c318479f839e9320a1f5b75aa387371873edca3a3fecc22034d
-
Filesize
1.4MB
MD554df88c3e72b8d4229f6bf6adabef9e0
SHA1c2c6ff9f9677cdeb3c88e81d97317977ca87e56e
SHA25612bcaa224d590750b33a90651d922fee72babd1d4f425ecb5f072f1679af21d5
SHA5129c347e096251b7de0562633aaf0b36cb54e83c4ad3bac70fb77ed5c215034ba96674a23f0d532c318479f839e9320a1f5b75aa387371873edca3a3fecc22034d
-
Filesize
1KB
MD59b0256da3bf9a5303141361b3da59823
SHA1d73f34951777136c444eb2c98394f62912ebcdac
SHA25696cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA5129f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5aaaac7c68d2b7997ed502c26fd9f65c2
SHA17c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA2568724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac
-
Filesize
944B
MD5aaaac7c68d2b7997ed502c26fd9f65c2
SHA17c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA2568724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5e448fe0d240184c6597a31d3be2ced58
SHA1372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA5120b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4
-
Filesize
944B
MD5e448fe0d240184c6597a31d3be2ced58
SHA1372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA5120b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
707B
MD505a28590680a059656a923a6b608b6a0
SHA177c73b5cba163ead23bafbfaa38601a129ece182
SHA2566771f70265e565bb47630ae4561bda15faf30f662a7551c8d6cc9bfd073944a2
SHA512545d27a02b5501581f98742f52942f27f3113ac2ec6a87c65d8282afbbfd294d26de5568abec6759bbd1026e66207bcad6a0895961d7f3b1bfb5afe5c1bb1804
-
Filesize
707B
MD570b2a9f0a3dd55222e729bd70dbe5f6b
SHA17a979224dc14327c74cf7b4237b305e30bc2ddb8
SHA256bc089e7e8dfdb88e340593412af9af3dad468c580169e677fd9877993892d251
SHA51285a770e95cd03def2bb20aaa2abe0982db1cb746aa279eaec7c57acd13bcb67df44f889a6252238985e6a1809bdcc950a3c18f147b5ce9253a1d63e22f50a223
-
Filesize
483B
MD51ebf7be841955424f63b671d01ee5ebe
SHA1abe2236e60c57264fe2e90f2c14cc33b9bfc41a7
SHA256bcf72b16678b1c05d772504f9558b546edb2938b433e6cf7068c3947e7758980
SHA51299f433060575e67b452957a2e170be7c900cda8e827adb735ebdaf16163120e55622c84100ec19869b1344fab3270530c9e1eb032510598898974c75f52a4d76
-
Filesize
483B
MD51ebf7be841955424f63b671d01ee5ebe
SHA1abe2236e60c57264fe2e90f2c14cc33b9bfc41a7
SHA256bcf72b16678b1c05d772504f9558b546edb2938b433e6cf7068c3947e7758980
SHA51299f433060575e67b452957a2e170be7c900cda8e827adb735ebdaf16163120e55622c84100ec19869b1344fab3270530c9e1eb032510598898974c75f52a4d76
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
483B
MD51ebf7be841955424f63b671d01ee5ebe
SHA1abe2236e60c57264fe2e90f2c14cc33b9bfc41a7
SHA256bcf72b16678b1c05d772504f9558b546edb2938b433e6cf7068c3947e7758980
SHA51299f433060575e67b452957a2e170be7c900cda8e827adb735ebdaf16163120e55622c84100ec19869b1344fab3270530c9e1eb032510598898974c75f52a4d76
-
Filesize
1.4MB
MD554df88c3e72b8d4229f6bf6adabef9e0
SHA1c2c6ff9f9677cdeb3c88e81d97317977ca87e56e
SHA25612bcaa224d590750b33a90651d922fee72babd1d4f425ecb5f072f1679af21d5
SHA5129c347e096251b7de0562633aaf0b36cb54e83c4ad3bac70fb77ed5c215034ba96674a23f0d532c318479f839e9320a1f5b75aa387371873edca3a3fecc22034d