Analysis
-
max time kernel
1800s -
max time network
1799s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-04-2024 20:33
Static task
static1
Behavioral task
behavioral1
Sample
Neverlose.cc Crack.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Neverlose.cc Crack.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Neverlose.cc Crack.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Neverlose.cc Crack.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
Neverlose.cc Crack.exe
Resource
win11-20240419-en
General
-
Target
Neverlose.cc Crack.exe
-
Size
4.6MB
-
MD5
cb2be30171f2abcd864d4afbce7cbf4a
-
SHA1
9b9328b84ca32f6026430b98390e718d971c82ed
-
SHA256
de7598261915dd8568f29b70b0a122daf90a086bb2a4d976474f4873b55949bc
-
SHA512
935fca6c2e7de61a257bb225097308dc243f4cfd470ac70a80ab319c4af0ae5dbcd893fdd3d3558bcebbf7fb129cc96dfdf054b649d44c6be15f5267be73710c
-
SSDEEP
98304:l2wqFuVDp+YL9l5LPDj2VWnPt1Igxrgjc0iXs/oMoaq9l44R0:0wuudpZL9l5LPkw11InWp47
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
intobroker.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\uk-UA\\SearchUI.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\uk-UA\\SearchUI.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\ja-JP\\System.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\uk-UA\\SearchUI.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\ja-JP\\System.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\uk-UA\\SearchUI.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\ja-JP\\System.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sppsvc.exe\"" intobroker.exe -
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3532 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 308 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4072 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4344 4364 schtasks.exe -
Processes:
sppsvc.exeintobroker.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" intobroker.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\explorer.exe dcrat C:\Bridgeserverintocommon\intobroker.exe dcrat behavioral2/memory/4340-34-0x0000000000470000-0x00000000007D8000-memory.dmp dcrat -
Executes dropped EXE 14 IoCs
Processes:
explorer.exeAimStar.exeintobroker.exesppsvc.exesppsvc.exeSystem.exesppsvc.exeSearchUI.exeSystem.exesppsvc.exesppsvc.exeSystem.exeSearchUI.exesppsvc.exepid process 2656 explorer.exe 4728 AimStar.exe 4340 intobroker.exe 1224 sppsvc.exe 288 sppsvc.exe 4456 System.exe 700 sppsvc.exe 264 SearchUI.exe 1848 System.exe 2212 sppsvc.exe 2564 sppsvc.exe 2208 System.exe 1924 SearchUI.exe 1092 sppsvc.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
intobroker.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Sidebar\\sppsvc.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Program Files\\Internet Explorer\\uk-UA\\SearchUI.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Program Files\\Internet Explorer\\uk-UA\\SearchUI.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Common Files\\System\\msadc\\ja-JP\\System.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Common Files\\System\\msadc\\ja-JP\\System.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Sidebar\\sppsvc.exe\"" intobroker.exe -
Processes:
intobroker.exesppsvc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intobroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe -
Drops file in Program Files directory 7 IoCs
Processes:
intobroker.exedescription ioc process File created C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe intobroker.exe File opened for modification C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe intobroker.exe File created C:\Program Files\Internet Explorer\uk-UA\dab4d89cac03ec intobroker.exe File created C:\Program Files\Common Files\System\msadc\ja-JP\System.exe intobroker.exe File created C:\Program Files\Common Files\System\msadc\ja-JP\27d1bcfc3c54e0 intobroker.exe File created C:\Program Files (x86)\Windows Sidebar\sppsvc.exe intobroker.exe File created C:\Program Files (x86)\Windows Sidebar\0a1fd5f707cd16 intobroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3532 schtasks.exe 2112 schtasks.exe 2540 schtasks.exe 1604 schtasks.exe 4388 schtasks.exe 3168 schtasks.exe 3636 schtasks.exe 4648 schtasks.exe 5072 schtasks.exe 308 schtasks.exe 4072 schtasks.exe 4344 schtasks.exe -
Modifies registry class 3 IoCs
Processes:
explorer.exeintobroker.exesppsvc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings intobroker.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings sppsvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
intobroker.exesppsvc.exepid process 4340 intobroker.exe 4340 intobroker.exe 4340 intobroker.exe 4340 intobroker.exe 4340 intobroker.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe 1224 sppsvc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
sppsvc.exepid process 1224 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
intobroker.exesppsvc.exevssvc.exesppsvc.exeSystem.exesppsvc.exeSearchUI.exeSystem.exesppsvc.exesppsvc.exeSystem.exeSearchUI.exesppsvc.exedescription pid process Token: SeDebugPrivilege 4340 intobroker.exe Token: SeDebugPrivilege 1224 sppsvc.exe Token: SeBackupPrivilege 4376 vssvc.exe Token: SeRestorePrivilege 4376 vssvc.exe Token: SeAuditPrivilege 4376 vssvc.exe Token: SeDebugPrivilege 288 sppsvc.exe Token: SeDebugPrivilege 4456 System.exe Token: SeDebugPrivilege 700 sppsvc.exe Token: SeDebugPrivilege 264 SearchUI.exe Token: SeDebugPrivilege 1848 System.exe Token: SeDebugPrivilege 2212 sppsvc.exe Token: SeDebugPrivilege 2564 sppsvc.exe Token: SeDebugPrivilege 2208 System.exe Token: SeDebugPrivilege 1924 SearchUI.exe Token: SeDebugPrivilege 1092 sppsvc.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
Neverlose.cc Crack.exeexplorer.exeWScript.execmd.exeintobroker.execmd.exesppsvc.exedescription pid process target process PID 4472 wrote to memory of 2656 4472 Neverlose.cc Crack.exe explorer.exe PID 4472 wrote to memory of 2656 4472 Neverlose.cc Crack.exe explorer.exe PID 4472 wrote to memory of 2656 4472 Neverlose.cc Crack.exe explorer.exe PID 4472 wrote to memory of 4728 4472 Neverlose.cc Crack.exe AimStar.exe PID 4472 wrote to memory of 4728 4472 Neverlose.cc Crack.exe AimStar.exe PID 2656 wrote to memory of 1284 2656 explorer.exe WScript.exe PID 2656 wrote to memory of 1284 2656 explorer.exe WScript.exe PID 2656 wrote to memory of 1284 2656 explorer.exe WScript.exe PID 2656 wrote to memory of 1244 2656 explorer.exe WScript.exe PID 2656 wrote to memory of 1244 2656 explorer.exe WScript.exe PID 2656 wrote to memory of 1244 2656 explorer.exe WScript.exe PID 1284 wrote to memory of 2728 1284 WScript.exe cmd.exe PID 1284 wrote to memory of 2728 1284 WScript.exe cmd.exe PID 1284 wrote to memory of 2728 1284 WScript.exe cmd.exe PID 2728 wrote to memory of 4340 2728 cmd.exe intobroker.exe PID 2728 wrote to memory of 4340 2728 cmd.exe intobroker.exe PID 4340 wrote to memory of 4452 4340 intobroker.exe cmd.exe PID 4340 wrote to memory of 4452 4340 intobroker.exe cmd.exe PID 4452 wrote to memory of 2624 4452 cmd.exe w32tm.exe PID 4452 wrote to memory of 2624 4452 cmd.exe w32tm.exe PID 4452 wrote to memory of 1224 4452 cmd.exe sppsvc.exe PID 4452 wrote to memory of 1224 4452 cmd.exe sppsvc.exe PID 1224 wrote to memory of 2504 1224 sppsvc.exe WScript.exe PID 1224 wrote to memory of 2504 1224 sppsvc.exe WScript.exe PID 1224 wrote to memory of 1052 1224 sppsvc.exe WScript.exe PID 1224 wrote to memory of 1052 1224 sppsvc.exe WScript.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
sppsvc.exeintobroker.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Neverlose.cc Crack.exe"C:\Users\Admin\AppData\Local\Temp\Neverlose.cc Crack.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Bridgeserverintocommon\intobroker.exe"C:\Bridgeserverintocommon\intobroker.exe"5⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lCQZmTZqZs.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e954f97-d915-49a5-bcfb-32a94bcb3a02.vbs"8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ab6bb90-ffc3-427c-bd23-1c05e0f2a8b6.vbs"8⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\file.vbs"3⤵
-
C:\Users\Admin\AppData\Local\Temp\AimStar.exe"C:\Users\Admin\AppData\Local\Temp\AimStar.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\System\msadc\ja-JP\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\msadc\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\msadc\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Common Files\System\msadc\ja-JP\System.exe"C:\Program Files\Common Files\System\msadc\ja-JP\System.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe"C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Common Files\System\msadc\ja-JP\System.exe"C:\Program Files\Common Files\System\msadc\ja-JP\System.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Common Files\System\msadc\ja-JP\System.exe"C:\Program Files\Common Files\System\msadc\ja-JP\System.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe"C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.batFilesize
42B
MD59005984f23c241ae6504691edad99db9
SHA150ec3cca58fd37b1853bd144854fb0242019d2b9
SHA256e4d707b17add26a6652c539cdb21c37fdad6e3ace7c81ecf2174e9822ec722de
SHA512183a00fb20157a7125673eada3c8fd6c7be9b15ce84ae92e4f82c8838f6a68f3c76d8a4e38022b29480007f9ff46020e7bd3f32fd1c2684c62978a0e24e3d1ff
-
C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbeFilesize
227B
MD58ad651de9eab5382f5aeb6e0a38e22bc
SHA1c45b320fdec6e25ccacc31bdf3999a6fec82c9a0
SHA256adc8a48ba4abcaba69bb11494239f5f36da9146e54d03d3ecbf30628b77bdf01
SHA5126fa241fb0c56d172dd72a1560329f573d10b2cf289aaa1e4a8e36e7a00c0f10e52fa566997654ef985f838b44b8230a5ca1215aacd1a2910ae25f0988519fb3a
-
C:\Bridgeserverintocommon\file.vbsFilesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\Bridgeserverintocommon\intobroker.exeFilesize
3.4MB
MD534f09d31d624cddea4794d6b60fb342a
SHA121dae839ec2ac251c1d80d51e32e5b0f7c9c208f
SHA256fd3a3a73eaee67019836012fff9be8474388fe57f8fcf0fb60d0326acd9a9c8f
SHA512e1f3c7e71a9921b6c2be32ace2ed8b809a81bfa5047034f4d3acf13386154bbda150c812def937542e01f7228b52cfe3fef1fe4446503f7a0048c852c7b2e873
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.logFilesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
C:\Users\Admin\AppData\Local\Temp\1e954f97-d915-49a5-bcfb-32a94bcb3a02.vbsFilesize
725B
MD5c6d1a32671a36ab4bba8879a2c246c04
SHA130918888446c3a6f0ad6a1ed480cbf610235c45f
SHA25696fb212a0aed18b31af03cfe19db2de55e12410ab19857a65666d721fc130b44
SHA51246f26f7bcd00ba87dd690c9fedc5cb9e058516337e63579cef493ef25fdd603fc0070b3a982457da56b70d95cfd007d71fe2f53c87c2568c0a92d823530c6679
-
C:\Users\Admin\AppData\Local\Temp\9ab6bb90-ffc3-427c-bd23-1c05e0f2a8b6.vbsFilesize
501B
MD54094599379beb1af19142ce90d132c66
SHA1262b3eb6036bf7fc80378d6721bb6ea16f52fba6
SHA256e503ebeb4229987d8c7e8b3c6f87d035000b5e2969713253b36d8ff8a049ada4
SHA512bf755c0ffee1267d8390f57d1c4020bc842e2746875fa6e01a5cf46f22e838c8923e88fafcd24512a6114c1248fc4a10bf81d86ff9c4f22e7c4efa94c11207d8
-
C:\Users\Admin\AppData\Local\Temp\AimStar.exeFilesize
2.2MB
MD561f4153bfff66366181c4102763763b6
SHA169e7786d66e718426321e2db61a6bafb3129b6a9
SHA256e785f907b24d5397d7dc19386dd8fcceb442395b67c023ab43f8aa9b0346c199
SHA512e98b2d49cd3e189e37670b937954e46b3c8f002dffb4bfcc764d8145acdd6b33042d408b05883cd8f3678382bb02ba58fc84e10273778307630c8ec49c24d4bb
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
3.7MB
MD53aff466445051bd93a7ea3ae519587ef
SHA1516c1e9da912f6d988146fb812d88bdc7b30588a
SHA25647f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e
SHA5123870bd70e038bb27035eec3eb8bd8f88c2bb720f59dd5283e2bc095f540e3ab4d6e991d7a601b4d809d8de7e7592d2010c41cf57b708ea2f42a5323353a8338f
-
C:\Users\Admin\AppData\Local\Temp\lCQZmTZqZs.batFilesize
214B
MD59dca10f109c8894680c6d0b18c95b120
SHA1bcacaf25328c106cc560725d439fbc52df32a12f
SHA25662f9917b9c88aef04fe3092c1c0651e90a359597e93dcb75d6323aefff45ec9d
SHA5122d2e004318ff16bd6a2d0bf5908c0c19da221ec5fb145b2f6abc660fb106efcd1bcb1de5beef1eda7e5f638d80e52b3a643f88adfdb822764d5dbb3fa16ea677
-
memory/1224-96-0x000000001E510000-0x000000001E6D2000-memory.dmpFilesize
1.8MB
-
memory/4340-51-0x000000001B600000-0x000000001B608000-memory.dmpFilesize
32KB
-
memory/4340-56-0x000000001BBC0000-0x000000001BBCC000-memory.dmpFilesize
48KB
-
memory/4340-41-0x000000001B400000-0x000000001B410000-memory.dmpFilesize
64KB
-
memory/4340-40-0x000000001B3F0000-0x000000001B3F8000-memory.dmpFilesize
32KB
-
memory/4340-42-0x000000001B530000-0x000000001B546000-memory.dmpFilesize
88KB
-
memory/4340-43-0x000000001B410000-0x000000001B41C000-memory.dmpFilesize
48KB
-
memory/4340-44-0x000000001B550000-0x000000001B562000-memory.dmpFilesize
72KB
-
memory/4340-45-0x000000001B560000-0x000000001B56C000-memory.dmpFilesize
48KB
-
memory/4340-46-0x000000001B570000-0x000000001B578000-memory.dmpFilesize
32KB
-
memory/4340-47-0x000000001B5D0000-0x000000001B5E0000-memory.dmpFilesize
64KB
-
memory/4340-48-0x000000001B5E0000-0x000000001B5EA000-memory.dmpFilesize
40KB
-
memory/4340-49-0x000000001BB20000-0x000000001BB76000-memory.dmpFilesize
344KB
-
memory/4340-50-0x000000001B5F0000-0x000000001B5FC000-memory.dmpFilesize
48KB
-
memory/4340-38-0x000000001B3D0000-0x000000001B3EC000-memory.dmpFilesize
112KB
-
memory/4340-54-0x000000001BB90000-0x000000001BBA2000-memory.dmpFilesize
72KB
-
memory/4340-53-0x000000001BB80000-0x000000001BB88000-memory.dmpFilesize
32KB
-
memory/4340-52-0x000000001BB70000-0x000000001BB7C000-memory.dmpFilesize
48KB
-
memory/4340-58-0x000000001BBE0000-0x000000001BBEC000-memory.dmpFilesize
48KB
-
memory/4340-57-0x000000001BBD0000-0x000000001BBD8000-memory.dmpFilesize
32KB
-
memory/4340-39-0x000000001B580000-0x000000001B5D0000-memory.dmpFilesize
320KB
-
memory/4340-55-0x000000001C250000-0x000000001C776000-memory.dmpFilesize
5.1MB
-
memory/4340-59-0x000000001BBF0000-0x000000001BBFC000-memory.dmpFilesize
48KB
-
memory/4340-61-0x000000001BC10000-0x000000001BC1C000-memory.dmpFilesize
48KB
-
memory/4340-60-0x000000001BC00000-0x000000001BC08000-memory.dmpFilesize
32KB
-
memory/4340-65-0x000000001BD50000-0x000000001BD5E000-memory.dmpFilesize
56KB
-
memory/4340-69-0x000000001BD90000-0x000000001BD9A000-memory.dmpFilesize
40KB
-
memory/4340-68-0x000000001BD80000-0x000000001BD88000-memory.dmpFilesize
32KB
-
memory/4340-67-0x000000001BD70000-0x000000001BD7C000-memory.dmpFilesize
48KB
-
memory/4340-66-0x000000001BD60000-0x000000001BD68000-memory.dmpFilesize
32KB
-
memory/4340-64-0x000000001BD40000-0x000000001BD48000-memory.dmpFilesize
32KB
-
memory/4340-63-0x000000001BD30000-0x000000001BD3E000-memory.dmpFilesize
56KB
-
memory/4340-62-0x000000001BD20000-0x000000001BD2A000-memory.dmpFilesize
40KB
-
memory/4340-37-0x00000000029F0000-0x00000000029F8000-memory.dmpFilesize
32KB
-
memory/4340-36-0x00000000029E0000-0x00000000029EE000-memory.dmpFilesize
56KB
-
memory/4340-35-0x00000000029D0000-0x00000000029DE000-memory.dmpFilesize
56KB
-
memory/4340-34-0x0000000000470000-0x00000000007D8000-memory.dmpFilesize
3.4MB
-
memory/4472-0-0x00000000009D0000-0x0000000000E68000-memory.dmpFilesize
4.6MB
-
memory/4472-1-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmpFilesize
9.9MB
-
memory/4472-2-0x000000001B940000-0x000000001B950000-memory.dmpFilesize
64KB
-
memory/4472-14-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmpFilesize
9.9MB