0c35f5b724faaa4d0f4f17f62272610047408b381df876067c98fca735a3682d

Analysis

max time kernel
1801s
max time network
1171s
platform
windows11-21h2_x64
resource
win11-20231128-en
resource tags

arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system
submitted
04-12-2023 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll
Size

628KB
MD5

97a26d9e3598fea2e1715c6c77b645c2
SHA1

c4bf3a00c9223201aa11178d0f0b53c761a551c4
SHA256

e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f
SHA512

acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c
SSDEEP

12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2189761507-171623489-4293150984-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nqykhcmevtotyc = "\"C:\\Users\\Admin\\AppData\\Roaming\\7NBp\\DeviceEnroller.exe\""

Drops file in System32 directory 2 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\system32\CCgo\sdclt.exe cmd.exe
File opened for modification C:\Windows\system32\CCgo\sdclt.exe cmd.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1536 schtasks.exe

description	ioc	process
File created	C:\Windows\system32\CCgo\sdclt.exe	cmd.exe
File opened for modification	C:\Windows\system32\CCgo\sdclt.exe	cmd.exe

pid	process
1536	schtasks.exe

Modifies registry class 10 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2189761507-171623489-4293150984-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\rxDr.cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-2189761507-171623489-4293150984-1000_Classes\ms-settings\shell\open\command\DelegateExecute
Key deleted	\REGISTRY\USER\S-1-5-21-2189761507-171623489-4293150984-1000_Classes\ms-settings\shell\open\command
Key deleted	\REGISTRY\USER\S-1-5-21-2189761507-171623489-4293150984-1000_Classes\ms-settings\shell\open
Key created	\REGISTRY\USER\S-1-5-21-2189761507-171623489-4293150984-1000_Classes\ms-settings
Key created	\REGISTRY\USER\S-1-5-21-2189761507-171623489-4293150984-1000_Classes\ms-settings\shell
Key deleted	\REGISTRY\USER\S-1-5-21-2189761507-171623489-4293150984-1000_Classes\ms-settings\shell
Key deleted	\REGISTRY\USER\S-1-5-21-2189761507-171623489-4293150984-1000_Classes\ms-settings
Key created	\REGISTRY\USER\S-1-5-21-2189761507-171623489-4293150984-1000_Classes\ms-settings\shell\open\command
Key created	\REGISTRY\USER\S-1-5-21-2189761507-171623489-4293150984-1000_Classes\ms-settings\shell\open

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4576	rundll32.exe
4576	rundll32.exe
4576	rundll32.exe
4576	rundll32.exe
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3368

pid	process
3368

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fodhelper.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3368 wrote to memory of 3700	3368		DeviceEnroller.exe
PID 3368 wrote to memory of 3700	3368		DeviceEnroller.exe
PID 3368 wrote to memory of 3532	3368		cmd.exe
PID 3368 wrote to memory of 3532	3368		cmd.exe
PID 3368 wrote to memory of 2596	3368		sdclt.exe
PID 3368 wrote to memory of 2596	3368		sdclt.exe
PID 3368 wrote to memory of 3516	3368		cmd.exe
PID 3368 wrote to memory of 3516	3368		cmd.exe
PID 3368 wrote to memory of 4144	3368		fodhelper.exe
PID 3368 wrote to memory of 4144	3368		fodhelper.exe
PID 4144 wrote to memory of 4756	4144	fodhelper.exe	cmd.exe
PID 4144 wrote to memory of 4756	4144	fodhelper.exe	cmd.exe
PID 4756 wrote to memory of 1536	4756	cmd.exe	schtasks.exe
PID 4756 wrote to memory of 1536	4756	cmd.exe	schtasks.exe
PID 3368 wrote to memory of 3012	3368		cmd.exe
PID 3368 wrote to memory of 3012	3368		cmd.exe
PID 3012 wrote to memory of 1420	3012	cmd.exe	schtasks.exe
PID 3012 wrote to memory of 1420	3012	cmd.exe	schtasks.exe
PID 3368 wrote to memory of 4632	3368		cmd.exe
PID 3368 wrote to memory of 4632	3368		cmd.exe
PID 4632 wrote to memory of 3788	4632	cmd.exe	schtasks.exe
PID 4632 wrote to memory of 3788	4632	cmd.exe	schtasks.exe
PID 3368 wrote to memory of 2068	3368		cmd.exe
PID 3368 wrote to memory of 2068	3368		cmd.exe
PID 2068 wrote to memory of 2148	2068	cmd.exe	schtasks.exe
PID 2068 wrote to memory of 2148	2068	cmd.exe	schtasks.exe
PID 3368 wrote to memory of 3812	3368		cmd.exe
PID 3368 wrote to memory of 3812	3368		cmd.exe
PID 3812 wrote to memory of 2864	3812	cmd.exe	schtasks.exe
PID 3812 wrote to memory of 2864	3812	cmd.exe	schtasks.exe
PID 3368 wrote to memory of 2924	3368		cmd.exe
PID 3368 wrote to memory of 2924	3368		cmd.exe
PID 2924 wrote to memory of 3176	2924	cmd.exe	schtasks.exe
PID 2924 wrote to memory of 3176	2924	cmd.exe	schtasks.exe
PID 3368 wrote to memory of 2452	3368		cmd.exe
PID 3368 wrote to memory of 2452	3368		cmd.exe
PID 2452 wrote to memory of 424	2452	cmd.exe	schtasks.exe
PID 2452 wrote to memory of 424	2452	cmd.exe	schtasks.exe
PID 3368 wrote to memory of 3632	3368		cmd.exe
PID 3368 wrote to memory of 3632	3368		cmd.exe
PID 3632 wrote to memory of 4144	3632	cmd.exe	schtasks.exe
PID 3632 wrote to memory of 4144	3632	cmd.exe	schtasks.exe
PID 3368 wrote to memory of 3600	3368		cmd.exe
PID 3368 wrote to memory of 3600	3368		cmd.exe
PID 3600 wrote to memory of 3412	3600	cmd.exe	schtasks.exe
PID 3600 wrote to memory of 3412	3600	cmd.exe	schtasks.exe
PID 3368 wrote to memory of 1360	3368		cmd.exe
PID 3368 wrote to memory of 1360	3368		cmd.exe
PID 1360 wrote to memory of 2612	1360	cmd.exe	schtasks.exe
PID 1360 wrote to memory of 2612	1360	cmd.exe	schtasks.exe
PID 3368 wrote to memory of 4628	3368		cmd.exe
PID 3368 wrote to memory of 4628	3368		cmd.exe
PID 4628 wrote to memory of 3252	4628	cmd.exe	schtasks.exe
PID 4628 wrote to memory of 3252	4628	cmd.exe	schtasks.exe
PID 3368 wrote to memory of 2504	3368		cmd.exe
PID 3368 wrote to memory of 2504	3368		cmd.exe
PID 2504 wrote to memory of 1472	2504	cmd.exe	schtasks.exe
PID 2504 wrote to memory of 1472	2504	cmd.exe	schtasks.exe
PID 3368 wrote to memory of 4572	3368		cmd.exe
PID 3368 wrote to memory of 4572	3368		cmd.exe
PID 4572 wrote to memory of 1588	4572	cmd.exe	schtasks.exe
PID 4572 wrote to memory of 1588	4572	cmd.exe	schtasks.exe
PID 3368 wrote to memory of 2348	3368		cmd.exe
PID 3368 wrote to memory of 2348	3368		cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4576

C:\Windows\system32\DeviceEnroller.exe
C:\Windows\system32\DeviceEnroller.exe
1⤵
PID:3700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\oDWcxe.cmd
1⤵
PID:3532

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:2596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\1B3I.cmd
1⤵
- Drops file in System32 directory
PID:3516

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\rxDr.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /Create /F /TN "Kzpieth" /TR C:\Windows\system32\CCgo\sdclt.exe /SC minute /MO 60 /RL highest
3⤵
- Creates scheduled task(s)
PID:1536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:2148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:2864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:4144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:2612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:4624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:5028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:4748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:2608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:2520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:4588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:4472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:4152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:4400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:2948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:2640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:2916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:4200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:2940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:2512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:4680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:2180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:4552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:4568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:4364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:4320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:2616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:3276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:2924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:2448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:1288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kzpieth"
1⤵
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Kzpieth"
2⤵
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1B3I.cmd

Filesize
191B

MD5
90a4776eda5cd382dd05f27a8b62e4e8

SHA1
0f72d6dd613e7b4231ea442e47a67e5a6a6e1199

SHA256
d00cd99566ea896a14b2471a4ca963e889612a0df56edae2d51c91a67026e163

SHA512
a503c769a675622ff021c4e32cee2af26060ef218eb69402d6f66ebc000c4248528401ca012a8f6c495f0f8662fa65c1ef72443312948b545d76041c2ceb0e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oDWcxe.cmd

Filesize
232B

MD5
394495f6f34dde82792fa09a7dc8a6db

SHA1
c7973933f2cdb79f6bf699c0f72122ac16ba5db4

SHA256
ddcb440adf43443773e43cfe11efa2649e9778f548db9a18e1e5fa954525e0ed

SHA512
5086ccfe2180d01291475e75ce43d67b743e82e79f720611ad4351691c6380e9322857efa295d468a785d57c1e14748ef4ca682e661a12a11bd3b572958473e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\oE8F8.tmp

Filesize
628KB

MD5
a6a9e4ea86ef6033a9d31e971e03eb11

SHA1
6296c99833c53ef808f546872dc42f8378069c94

SHA256
82b4f72ecf12b24caca2cdfc0363ead8be6683b7d5352a28bb577ebd26cb3473

SHA512
ff0108d021ca9d8e59ad26a37af4600a469744cc4858c753d219249689c3a0e8fe44994a592ab999f93fe12520ba526fa54f475205dfffe0f189b33f6e526cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxDr.cmd

Filesize
121B

MD5
931c66c975436c1252959ec79c5a60bc

SHA1
f5f5d65976fe330ac01041dd8cb530e036b04d50

SHA256
ded1a23c482f6f6bcd9db2df0fb0fbf88e9802f5abf04bbdfe76de49e86f4414

SHA512
54df34a53cc2bd629a48bcf49be782480797de8d4ed3b38c2b22525190ad7783d4b85fa17e891170f59fdb99141555f6391b81626dd62346a800af08f698edf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vT11FD.tmp

Filesize
632KB

MD5
6b738e0c42b1eb141d658aacd4cc617c

SHA1
761b182728a6a2fbc8f1e6c9115ca1cc7dfdb9a8

SHA256
c98f9b99e10edddec1cf15f6ef7d56ab28bb95a8a81c5a7f2c0791cb1f774d34

SHA512
870c032d5730a65ae8ea7be49388727b2556381442f1a3e44ff2b6bb1a9fd214e7f5cde9230d112bee12b53c9407cd6bf18fdc9e664e59e3836dceedb45de70d

Download Submit
C:\Users\Admin\AppData\Roaming\7NBp\DeviceEnroller.exe

Filesize
476KB

MD5
6d7d467c99d41f29db21fad589f36a02

SHA1
0e684f3bcab86fd85c18502fc18c3a34d670effe

SHA256
748cb48c3a083f20001606ef8c82d356b2edc11dd160c01eb82cc14881001cd2

SHA512
72aa8756d676177f16f63ae811e692e87b2ca4fdee88a3dcdd700eed42e576457264a65efd7f489400839158285a7a1b0b472994bad5ade5744abbfc13e13336

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nqykhcmevtotyc.lnk

Filesize
930B

MD5
7eef029c4dbd5ef5d9a183b7d605b8d2

SHA1
357cb27e19e57b7a988cb2c10956b19d3a805d5c

SHA256
8c63d709a78f31c432e823d9d0541f149023fb4563ef88e02426663881a2b123

SHA512
a3941ca57692778a6cf4206830759f96740c12b827d6745a5ae9a0fb140948cc9e5ccbfdcae90c6cec72a010332f5bc30149deadcc3ce81854a1d425be7cc584

Download Submit
memory/3368-8-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3368-31-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3368-11-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3368-12-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3368-13-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3368-15-0x0000000000630000-0x0000000000637000-memory.dmp

Filesize
28KB

Download
memory/3368-14-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3368-21-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3368-22-0x00007FF8B18B0000-0x00007FF8B18C0000-memory.dmp

Filesize
64KB

Download
memory/3368-10-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3368-33-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3368-9-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3368-3-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/3368-7-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3368-5-0x00007FF8B0B37000-0x00007FF8B0B38000-memory.dmp

Filesize
4KB

Download
memory/4576-6-0x00007FF8A2390000-0x00007FF8A242D000-memory.dmp

Filesize
628KB

Download
memory/4576-0-0x00007FF8A2390000-0x00007FF8A242D000-memory.dmp

Filesize
628KB

Download
memory/4576-2-0x000002770AAA0000-0x000002770AAA7000-memory.dmp

Filesize
28KB

Download