Analysis Overview
SHA256
28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848
Threat Level: Known bad
The file 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848 was found to be: Known bad.
Malicious Activity Summary
DCRat payload
Dcrat family
Process spawned unexpected child process
DcRat
Modifies WinLogon for persistence
DCRat payload
Detects executables packed with SmartAssembly
Executes dropped EXE
Adds Run key to start application
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-24 18:39
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-24 18:39
Reported
2024-03-24 18:42
Platform
win7-20240221-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with SmartAssembly
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Mail\it-IT\csrss.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Documents\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Temp\\Crashpad\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Google\\CrashReports\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Temp\\Crashpad\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Google\\CrashReports\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Documents\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Performance\WinSAT\DataStore\lsass.exe | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| File created | C:\Windows\Performance\WinSAT\DataStore\6203df4a6bafc7 | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| File created | C:\Windows\CSC\v2.0.6\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| File opened for modification | C:\Windows\Performance\WinSAT\DataStore\RCX785E.tmp | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
| File opened for modification | C:\Windows\Performance\WinSAT\DataStore\lsass.exe | C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe
"C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\Crashpad\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Documents\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\lsass.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\it-IT\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\lsass.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j1kG62r9vx.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Mail\it-IT\csrss.exe
"C:\Program Files\Windows Mail\it-IT\csrss.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cz13602.tw1.ru | udp |
| RU | 92.53.123.166:80 | cz13602.tw1.ru | tcp |
| US | 8.8.8.8:53 | vh316.timeweb.ru | udp |
| RU | 92.53.123.166:443 | vh316.timeweb.ru | tcp |
| RU | 92.53.123.166:443 | vh316.timeweb.ru | tcp |
Files
memory/2200-0-0x0000000000380000-0x000000000058A000-memory.dmp
memory/2200-1-0x000007FEF5950000-0x000007FEF633C000-memory.dmp
memory/2200-2-0x000000001B320000-0x000000001B3A0000-memory.dmp
memory/2200-3-0x0000000000340000-0x000000000034E000-memory.dmp
memory/2200-4-0x0000000000350000-0x000000000035E000-memory.dmp
memory/2200-5-0x0000000000360000-0x0000000000368000-memory.dmp
memory/2200-6-0x0000000000600000-0x000000000061C000-memory.dmp
memory/2200-7-0x0000000000370000-0x0000000000380000-memory.dmp
memory/2200-8-0x00000000006A0000-0x00000000006B6000-memory.dmp
memory/2200-9-0x00000000006C0000-0x00000000006D0000-memory.dmp
memory/2200-10-0x00000000006D0000-0x00000000006DC000-memory.dmp
memory/2200-11-0x00000000006F0000-0x0000000000702000-memory.dmp
memory/2200-12-0x00000000008A0000-0x00000000008AC000-memory.dmp
memory/2200-13-0x0000000002120000-0x000000000212C000-memory.dmp
memory/2200-14-0x0000000002100000-0x0000000002108000-memory.dmp
memory/2200-15-0x00000000020E0000-0x00000000020EC000-memory.dmp
memory/2200-16-0x00000000020F0000-0x00000000020FE000-memory.dmp
memory/2200-17-0x0000000002110000-0x0000000002118000-memory.dmp
memory/2200-19-0x0000000002130000-0x000000000213E000-memory.dmp
memory/2200-18-0x000000001B320000-0x000000001B3A0000-memory.dmp
memory/2200-20-0x0000000002140000-0x000000000214C000-memory.dmp
memory/2200-21-0x0000000002150000-0x000000000215A000-memory.dmp
memory/2200-22-0x0000000002160000-0x000000000216C000-memory.dmp
memory/2200-31-0x000000001B320000-0x000000001B3A0000-memory.dmp
C:\Program Files\Windows Mail\it-IT\csrss.exe
| MD5 | 03072d38c3624e9d7d83016a9069b2bd |
| SHA1 | b6bc417dbb785265bbfdec6f5c8cb4b6928c1c2b |
| SHA256 | 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848 |
| SHA512 | f5300200abd8bec5d317f42617f90edd4243a9f4bd6aee05d61d72d331a4f71a13f7b118b49b9df8152bdf5b3cb6ea5711a0406b2ae5979d6579a8a2b75b2710 |
memory/2200-35-0x000000001B320000-0x000000001B3A0000-memory.dmp
memory/2200-51-0x000000001B320000-0x000000001B3A0000-memory.dmp
memory/2200-66-0x000000001B320000-0x000000001B3A0000-memory.dmp
memory/2200-81-0x000000001B320000-0x000000001B3A0000-memory.dmp
memory/2200-88-0x000000001B320000-0x000000001B3A0000-memory.dmp
memory/2200-102-0x000000001B320000-0x000000001B3A0000-memory.dmp
memory/2200-110-0x000007FEF5950000-0x000007FEF633C000-memory.dmp
memory/2200-111-0x000000001B320000-0x000000001B3A0000-memory.dmp
memory/948-126-0x000000001B1D0000-0x000000001B4B2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 2671fb1e9f68ecde59ee95c2a1067724 |
| SHA1 | d236555ce158c864745dab9cf02bddc9ac09ba61 |
| SHA256 | b4293fe18fd0c78188e10af094b41d36030ad1e4e09594514c37cef4a46c4b83 |
| SHA512 | 94cfb328010f1a1b15122ab4fc701382d0fe80d61c81015f954b406e33d91672b5ea11f308fd5f78b7e744b61fadb5251943e819fe578db1cf614d81a3640d52 |
memory/948-127-0x0000000002480000-0x0000000002488000-memory.dmp
memory/2200-125-0x000000001B320000-0x000000001B3A0000-memory.dmp
memory/2200-167-0x000007FEF5950000-0x000007FEF633C000-memory.dmp
memory/1444-166-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp
memory/1444-168-0x0000000002740000-0x00000000027C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\j1kG62r9vx.bat
| MD5 | cee18913801ef5a64e8266e64ba6c898 |
| SHA1 | c65450c201ba59a4c2fec8e5e44ae1f51eba19cc |
| SHA256 | 8cde01e053a0fb1ce76f08c39c564b23187e2b4a9cbeaa894e1fa082e5480ebc |
| SHA512 | 890d27b8ade33aee52ef5134b71aa7dcc65fdf3cc2aedd89b1f486e0c7984755fc1b294d808e7dc575715dceff2bf176c586e2c6158ac6e89b4cfc5d84a3228c |
memory/1444-170-0x0000000002740000-0x00000000027C0000-memory.dmp
memory/948-171-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp
memory/948-172-0x00000000028A0000-0x0000000002920000-memory.dmp
memory/948-173-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp
memory/948-174-0x00000000028A0000-0x0000000002920000-memory.dmp
memory/948-175-0x00000000028A0000-0x0000000002920000-memory.dmp
memory/2408-176-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp
memory/2408-177-0x0000000002600000-0x0000000002680000-memory.dmp
memory/2408-178-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp
memory/2408-180-0x0000000002600000-0x0000000002680000-memory.dmp
memory/2408-179-0x0000000002600000-0x0000000002680000-memory.dmp
memory/1700-181-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp
memory/1700-182-0x0000000002840000-0x00000000028C0000-memory.dmp
memory/1700-183-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp
memory/1700-184-0x0000000002840000-0x00000000028C0000-memory.dmp
memory/1444-186-0x0000000002740000-0x00000000027C0000-memory.dmp
memory/948-187-0x00000000028A0000-0x0000000002920000-memory.dmp
memory/1700-185-0x0000000002840000-0x00000000028C0000-memory.dmp
memory/1444-189-0x0000000002740000-0x00000000027C0000-memory.dmp
memory/1444-188-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp
memory/2408-190-0x0000000002600000-0x0000000002680000-memory.dmp
memory/1700-191-0x0000000002840000-0x00000000028C0000-memory.dmp
memory/948-192-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp
memory/1700-193-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp
C:\Program Files\Windows Mail\it-IT\csrss.exe
| MD5 | d7c82ee2fcf09658dc75abb4c3b307ef |
| SHA1 | caf69ffac1e03bb0e0716e03310266af526c5aea |
| SHA256 | 53e6c84280f40dff864dcd565916bf5377135c2d53a66cf3c52f5687b86ef0c4 |
| SHA512 | 66f8bbecc9f6ba5204e3f135184ada51258a0629e23486e681c2b6a01d22f72d0b96de9cfa7165884c4d22bec17b1fa6efb2c33ccd218c73f56ba4377491e441 |
memory/2408-195-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp
memory/1972-197-0x00000000000A0000-0x00000000002AA000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar2F71.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-24 18:39
Reported
2024-03-24 18:40
Platform
win10v2004-20240226-en
Max time network
3s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp |